From 41f918499bea1d6e95fc9314f18e8cf5e94aff79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bjarki=20=C3=81g=C3=BAst=20Gu=C3=B0mundsson?= Date: Sun, 8 Sep 2019 17:06:14 +0000 Subject: [PATCH] gpg: sane default for throw-keyids option The [throw-keyids](https://www.gnupg.org/gph/en/manual/r2110.html) option "hides the receiver of the encrypted data as a countermeasure against traffic analysis." However, it also slows down decryption, and even breaks some applications; see e.g. https://github.com/open-keychain/open-keychain/issues/626 I think the sane default would be to leave it off, just as it is off by default in gpg. The typical user will probably not need this level of security, and will probably prefer a better user experience (faster decryption and compatibility with a wider range of applications). Closes #838 --- modules/programs/gpg.nix | 1 - tests/modules/programs/gpg/override-defaults.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/programs/gpg.nix b/modules/programs/gpg.nix index e06ec3a93..4588c59c8 100644 --- a/modules/programs/gpg.nix +++ b/modules/programs/gpg.nix @@ -51,7 +51,6 @@ in { with-fingerprint = mkDefault true; require-cross-certification = mkDefault true; no-symkey-cache = mkDefault true; - throw-keyids = mkDefault true; use-agent = mkDefault true; }; diff --git a/tests/modules/programs/gpg/override-defaults.nix b/tests/modules/programs/gpg/override-defaults.nix index 7cf68b31b..850334dc5 100644 --- a/tests/modules/programs/gpg/override-defaults.nix +++ b/tests/modules/programs/gpg/override-defaults.nix @@ -10,6 +10,7 @@ with lib; settings = { no-comments = false; s2k-cipher-algo = "AES128"; + throw-keyids = true; }; };