# no spam
no-greeting

# minimize information leakage
no-comments
no-emit-version
export-options export-minimal

# show as much key info as possible
keyid-format 0xlong
with-fingerprint

# show validity of the keys
verify-options show-uid-validity
list-options show-uid-validity

# cipher settings
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed

cert-digest-algo SHA512

# key derivation algo
s2k-cipher-algo AES256
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 65011712

use-agent
display-charset utf-8
fixed-list-mode
no-mangle-dos-filenames
require-cross-certification

{% if not (distro == 'ubuntu' and ansible_distribution_version == '18.04') -%}
{# looks like the gpg version in that ubuntu release it too old and does not
{# contain the setting #}
# do not cache keys for symmetric encryption
no-symkey-cache

{% endif -%}

keyserver-options no-honor-keyserver-url no-auto-key-retrieve include-revoked