Configure Primary Key Algorithm

GnuPG allows you to set algorithm preferences for encryption/decryption, secure checksum, and compression algorithms. In order GnuPG versions, by default, those settings were kind of outdated. Hence, you need to update them accordingly. This section guides you on how to configure primary key's algorithms.

Verify Your Primary "Certify" Key Is Available

For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:

$ gpg --list-secret-keys

Example:

$ gpg --list-secret-keys
...
---------------------------
sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>

You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:

$ gpg --import /path/to/you/key.asc

Set Algorithms

Once done, it's time to set the algorithms.

Obtain Your Primary Key ID

We start off by obtaining your primary key ID. This is by using the following command and find your key:

$ gpg --list-secret-keys

Example:

$ gpg --list-secret-keys
...
---------------------------
sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb   rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb   cv25519 2020-01-10 [E] [expires: 2022-01-09]

You want the long string under the [C] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF.


Edit Primary Key

With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:

$ gpg --expert --edit-key <key-id>

From the example above, it is:

$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF

You will be presented with the gpg key editor's main menu. It looks something like:

gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/F5EF57A0FB4EF0EF
     created: 2020-01-10  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/66F2E45747AB2C90
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  rsa4096/9D485C5208D0859F
     created: 2020-01-10  expires: 2022-01-09  usage: E   
ssb  rsa4096/90939A7DBBFC226D
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  ed25519/16972F736B59F874
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  ed25519/D22D6E1FD575E506
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  cv25519/25252612A403B41C
     created: 2020-01-10  expires: 2022-01-09  usage: E   
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2)  "Shotgun" John, Smith (Main ID) <john.smith@email.com>

gpg>


Show Current Preference

Now, let's check the current preferences. Use showpref command:

gpg> showpref
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
     Cipher: AES256, AES192, AES, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ultimate] (2)  "Shotgun" John, Smith (Main ID) <john.smith@email.com>
     Cipher: AES256, AES192, AES, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
gpg>


Set Preference

With that in mind, we can now set the preferences using setpref command. Before we do, we need to populate the list in this order:

<hash 1> <hash 2> ... <hash n> <cipher 1> <cipher 2> ... <cipher n> <comp 1> <comp 2> ... <comp n>

If the primary key is passphrase protected, GPG may ask for it for authentication purposed.

Once you're done, we can then issue the command with setpref. You will be prompted for confirmation. Give y to confirm.

gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y
gpg: WARNING: no user ID has been marked as primary.  This command may
              cause a different user ID to become the assumed primary.

sec  rsa4096/F5EF57A0FB4EF0EF
     created: 2020-01-10  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/66F2E45747AB2C90
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  rsa4096/9D485C5208D0859F
     created: 2020-01-10  expires: 2022-01-09  usage: E   
ssb  rsa4096/90939A7DBBFC226D
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  ed25519/16972F736B59F874
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  ed25519/D22D6E1FD575E506
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  cv25519/25252612A403B41C
     created: 2020-01-10  expires: 2022-01-09  usage: E   
[ultimate] (1)  "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2). "Shotgun" John, Smith (Main ID) <john.smith@email.com>

gpg>


Confirm New Changes

Now that you completed the editing, proceed to confirm the changes by using showpref command again. This time, you can check the preferences are changed to your specified algorithms.

Once you're done, you may proceed to quit the interface. You may be asked for save changes, give it a y to confirm. Otherwise, restart the whole sequence.

gpg> showpref
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
     Cipher: AES256, AES192, AES, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ultimate] (2)  "Shotgun" John, Smith (Main ID) <john.smith@email.com>
     Cipher: AES256, AES192, AES, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
gpg> quit
Save changes? (y/N) y


Update Your New Public Key

Now that your preferences are set, you need to update the key-server or re-distribute the public key to all your recipients again. This is mainly because the new public key (with the same fingerprint) carries your preferences. How to distribute is outside of this section's scope. You may seek "Distribute" in the index page.

That's all for configuring GPG primary key algorithms.