home-manager/tests/modules/programs/gpg/override-defaults.nix
Bjarki Ágúst Guðmundsson 41f918499b
gpg: sane default for throw-keyids option
The [throw-keyids](https://www.gnupg.org/gph/en/manual/r2110.html)
option "hides the receiver of the encrypted data as a countermeasure
against traffic analysis." However, it also slows down decryption, and
even breaks some applications; see e.g.
https://github.com/open-keychain/open-keychain/issues/626

I think the sane default would be to leave it off, just as it is off
by default in gpg. The typical user will probably not need this level
of security, and will probably prefer a better user experience (faster
decryption and compatibility with a wider range of applications).

Closes #838
2019-09-11 19:30:26 +02:00

23 lines
401 B
Nix

{ config, lib, pkgs, ... }:
with lib;
{
config = {
programs.gpg = {
enable = true;
settings = {
no-comments = false;
s2k-cipher-algo = "AES128";
throw-keyids = true;
};
};
nmt.script = ''
assertFileExists home-files/.gnupg/gpg.conf
assertFileContent home-files/.gnupg/gpg.conf ${./override-defaults-expected.conf}
'';
};
}