GnuPG Configuration

I want to use PGP securely so need tips from you guys/gals. Currently I’m using GPG for OpenPGP implementation but have very little idea how to configure it. It would be very helpful if you share your gpg configuration, espessially gpg.conf and gpg-agent.conf, with description comments if possible!
I’m using some of the configuration from Riseup’s OpenPGP Best Practises.
Any kind of tips and suggestions is welcome!

Edit: I think Riseup’s OpenPGP Best Practises helped me a lot. You guys should check this out.

Here is a guide on how to use PGP using Enigmail, in Thunderbird.

1 Like

Thanks for the documentation, it really helps. Do you modify your gpg confiugration? If yes, please share with me.

You have to consider your local version of gpg. Parameters for configuring it changed over time. So many older guides on the internet may show legacy configuration (which is normal). For instance, the official documentation says you should put “long options” “in an options file (default “~/.gnupg/options”)”. See However, my local system stores GPG config in “~/.gnupg/gpg.conf”, and ignores the options file.

Enter gpg --version to see your local version number and supported algorithms. You should also check the man gpg page to see the defaults of your gpg installation and parameters that are available or obsolete.

Moreover, regularly check if new releases introduce new parameters that aren’t covered by many guides:

Another somewhat off topic question: which keyserver is reliable? I’ve tried sks keyserver and MIT keyserver for federated servers, both sucks and takes forever to refresh keys. SKS simply doesn’t work. The only other keyserver I found reliable is the private Hagrid keyserver (, but faced this problem

gpg --refresh-key
gpg: refreshing 6 keys from hkps://
gpg: key 7F2D434B9741E8AC: no user ID
gpg: key 300F846BA25BAE09: no user ID
gpg: key 509C9D6334C80F11: no user ID
gpg: key DBB802B258ACD84F: no user ID
gpg: key 4E2C6E8793298290: no user ID
gpg: key 821ACD02680D16DE: "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <>" not changed
gpg: Total number processed: 6
gpg:              unchanged: 1

Only the VeraCrypt public key seems to be there, the others not. Funny thing is I can search and find all the keys in the keyserver by fingerprint but not by email. The keyserver says that this is a known problem:
While refreshing keys, you may see errors like the following:

gpg: key A2604867523C7ED8: no user ID
This is a known problem in GnuPG. We are working with the GnuPG team to resolve this issue.

How can I fix this?

I don’t even have the options file just gpg.conf and gpg-agent.conf

I have a lot of dot files from across the years and I am not confident that my gnupg config files or the older files there are secure, but there they are anyway. I seem to have commended some parts that look the most potentially to be insecure or may get insecure by time without being updated.

This is fixed in a newer version of gpg (unless it’s a Debian’s patch), my version seems to be 2.2.17.

Since the whole SKS Keyserver Network is broken and GPG >= 2.2.17 ignores key signatures, you don’t need to think about keyservers anymore.

The only keyserver left is It is based on new software and requires people to verify their uploaded keys. Of course, it is extremely centralized now. Alternatively, some people publish their GPG keys via Keybase or their websites.

Thanks! I needed some example on this. This helped.

My gpg version:

gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Supported algorithms:
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

So it’s newer right? I shouln’t be facing this problem then.

I can’t find dirmngr.conf in my ~/.gnupg . Must be an older method.

2.2.4 is older than 2.2.17 @infosechandbook and I mentioned.

I don’t think it’s created by default, but instructions tell to create it. If you do create it, remember to killall -HUP dirmngr just in case so it comes to force if dirmngr is already running.

Apologies. I thought as version after decimal point. So how do I update this version?

Nah I’m good. Seems unnecessarily complex

If I use gpg when browsing on Tor Browser, it does not create any problem. After I stop using Tor and try to use gpg again, this problem happens:

gpg --refresh-keys
gpg: refreshing 6 keys from hkps://
gpg: WARNING: Tor is not running
gpg: WARNING: Tor is not running
gpg: WARNING: Tor is not running
gpg: WARNING: Tor is not running
gpg: WARNING: Tor is not running
gpg: WARNING: Tor is not running
gpg: keyserver refresh failed: Connection refused

How is this related to Tor?
Edit: Rebooting the PC resolves the problem.

What does your current configuration look like?

If you are using dirmngr.conf similar to mine, I think gpg should automatically try the onion if it detects Tor and I guess it detects the Tor instance by Tor Browser and uses that and thus the workaround would possibly be commenting the onion line or installing system-wide Tor that is always running.

PS. I merged your topic here as I think they are that closely related and there are already people discussing here.

1 Like

i don’t have dirmngr.conf file, just gpg.conf and gpg-agent.conf generated by pNep or something.

Thank you for that!

Could you paste the files here?

If that’s the case, then maybe I should wait for a while after closing Tor Brwoser to clean up the instances by system. However, I don’t use the onion link as keyserver, just the clearnet site. I’ve added the files as text as they are not pics. I’ve added some of your comments for my use, hope you don’t mind. :slightly_smiling_face: they are mostly comments


# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id

# Common options for keyserver functions:
# (Note that the --keyserver option has been moved to dirmngr.conf)
# include-disabled = when searching, include keys marked as "disabled"
#                    on the keyserver (not all keyservers support this).
# no-include-revoked = when searching, do not include keys marked as
#                      "revoked" on the keyserver.
# verbose = show more information as the keys are fetched.
#           Can be used more than once to increase the amount
#           of information shown.
# auto-key-retrieve = automatically fetch keys as needed from the keyserver
#                     when verifying signatures or when importing keys that
#                     have been revoked by a revocation key that is not
#                     present on the keyring.
# no-include-attributes = do not include attribute IDs (aka "photo IDs")
#                         when sending keys to the keyserver.
keyserver hkps://
keyserver-options auto-key-retrieve no-include-revoked





## Tell the pinentry not to grab the keyboard and mouse.
## This option should in general not be used to avoid X-sniffing attacks.
# This is the default behaviour

# the number after ttl is in seconds. This is default for how much time to remember #password for.
#Do not extend for a long time.

default-cache-ttl 300
default-cache-ttl-ssh 300
max-cache-ttl 600