Next: , Previous: , Up: Option Summary   [Contents][Index]


4.2.5 Compliance options

These options control what GnuPG is compliant to. Only one of these options may be active at a time. Note that the default setting of this is nearly always the correct one. See the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below before using one of these options.

--gnupg

Use standard GnuPG behavior. This is essentially OpenPGP behavior (see --openpgp), but with extension from the proposed update to OpenPGP and with some additional workarounds for common compatibility problems in different versions of PGP. This is the default option, so it is not generally needed, but it may be useful to override a different compliance option in the gpg.conf file.

--openpgp

Reset all packet, cipher and digest options to strict OpenPGP behavior. This option implies --allow-old-cipher-algos. Use this option to reset all previous options like --s2k-*, --cipher-algo, --digest-algo and --compress-algo to OpenPGP compliant values. All PGP workarounds are disabled.

--rfc4880

Reset all packet, cipher and digest options to strict RFC-4880 behavior. This option implies --allow-old-cipher-algos. Note that this is currently the same thing as --openpgp.

--rfc4880bis

Reset all packet, cipher and digest options to strict according to the proposed updates of RFC-4880.

--rfc2440

Reset all packet, cipher and digest options to strict RFC-2440 behavior. Note that by using this option encryption packets are created in a legacy mode without MDC protection. This is dangerous and should thus only be used for experiments. This option implies --allow-old-cipher-algos. See also option --ignore-mdc-error.

--pgp6

This option is obsolete; it is handled as an alias for --pgp7

--pgp7

Set up all options to be as PGP 7 compliant as possible. This allowed the ciphers IDEA, 3DES, CAST5,AES128, AES192, AES256, and TWOFISH., the hashes MD5, SHA1 and RIPEMD160, and the compression algorithms none and ZIP. This option implies --escape-from-lines and disables --throw-keyids,

--pgp8

Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot closer to the OpenPGP standard than previous versions of PGP, so all this does is disable --throw-keyids and set --escape-from-lines. All algorithms are allowed except for the SHA224, SHA384, and SHA512 digests.

--compliance string

This option can be used instead of one of the options above. Valid values for string are the above option names (without the double dash) and possibly others as shown when using "help" for string.

--min-rsa-length n

This option adjusts the compliance mode "de-vs" for stricter key size requirements. For example, a value of 3000 turns rsa2048 and dsa2048 keys into non-VS-NfD compliant keys.

--require-pqc-encryption

This option forces the use of quantum-resistant encryption algorithms. If not all public keys are quantum-resistant the encryption will fail. On decryption a warning is printed for all non-quantum-resistant keys. As of now the Kyber (ML-KEM768 and ML-KEM1024) algorithms are considered quantum-resistant; Kyber is always used in a composite scheme along with a classic ECC algorithm.

--require-compliance

To check that data has been encrypted according to the rules of the current compliance mode, a gpg user needs to evaluate the status lines. This is allows frontends to handle compliance check in a more flexible way. However, for scripted use the required evaluation of the status-line requires quite some effort; this option can be used instead to make sure that the gpg process exits with a failure if the compliance rules are not fulfilled. Note that this option has currently an effect only in "de-vs" mode.


Next: Doing things one usually doesn’t want to do, Previous: OpenPGP protocol specific options, Up: Option Summary   [Contents][Index]