Configure Primary Key Algorithm
GnuPG allows you to set algorithm preferences for encryption/decryption, secure checksum, and compression algorithms. In order GnuPG versions, by default, those settings were kind of outdated. Hence, you need to update them accordingly. This section guides you on how to configure primary key's algorithms.
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want to observe the key with [C
] capability and the sec
label does not have a hash ("sec#
"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.asc
Set Algorithms
Once done, it's time to set the algorithms.
Obtain Your Primary Key ID
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]
You want the long string under the [C
] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
.
Edit Primary Key
With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>
From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
You will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
Show Current Preference
Now, let's check the current preferences. Use showpref
command:
gpg> showpref
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
gpg>
Set Preference
With that in mind, we can now set the preferences using setpref
command. Before we do, we need to populate the list in this order:
<hash 1> <hash 2> ... <hash n> <cipher 1> <cipher 2> ... <cipher n> <comp 1> <comp 2> ... <comp n>
If the primary key is passphrase protected, GPG may ask for it for authentication purposed.
Once you're done, we can then issue the command with setpref
. You will be prompted for confirmation. Give y
to confirm.
gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y
gpg: WARNING: no user ID has been marked as primary. This command may
cause a different user ID to become the assumed primary.
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1) "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2). "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
Confirm New Changes
Now that you completed the editing, proceed to confirm the changes by using showpref
command again. This time, you can check the preferences are changed to your specified algorithms.
Once you're done, you may proceed to quit
the interface. You may be asked for save changes, give it a y
to confirm. Otherwise, restart the whole sequence.
gpg> showpref
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
Cipher: AES256, AES192, AES, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
gpg> quit
Save changes? (y/N) y
Update Your New Public Key
Now that your preferences are set, you need to update the key-server or re-distribute the public key to all your recipients again. This is mainly because the new public key (with the same fingerprint) carries your preferences. How to distribute is outside of this section's scope. You may seek "Distribute" in the index page.
That's all for configuring GPG primary key algorithms.