Registry Settings

GnuPG Engine

Since version 3.1.20 it is possible to read configuration settings from the Windows Registry. This is implemented using meta-commands in the configuration files.

The key for all entries is SOFTWARE\WOW6432Node\GNU\GnuPG below HKEY_LOCAL_MACHINE (HKLM) unless noted otherwise. The type of all entries is string (REG_SZ or REG_EXPAND_SZ); even for numeric values.

OpenPGP related settings

NewKeyAlgo

Used to change the default algorithm for new keys. Valid values are:

  • rsa3072
  • rsa4096
  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1
  • none

The value "none" disallows the generation of new keys.

DisableWKD

Any value interpreted as non-zero (e.g. "1") disables the use of the Web Key Directory for automatic key lookup.

DisableAKR

Any value interpreted as non-zero (e.g. "1") disables the use of automatic key retrieval from key servers when checking signatures.

AutoKeyImport

Any value interpreted as non-zero (e.g. "1") enables an offline mechanism to get a missing public key for signature verification and for later encryption to this key. If this option is enabled and a signature includes an embedded key, that key is used to verify the signature and on verification success the key is imported. Used together with IncludeKeyBlock. [since 3.1.24.0]

IncludeKeyBlock
Any value interpreted as non-zero (e.g. "1") puts the used public key into a data signature. This embedded key is stripped down to a single user id and includes only the signing subkey and all valid encryption subkeys. This option is the OpenPGP counterpart to the S/MIME feature of embedding the certificates into signatures. It allows the recipient of a signed message to reply encrypted to the sender without first using any online directories to lookup the key. Used together with AutoKeyImport. [since 3.1.24.0]
TrustedKey1
The value specifies a fixed trust root (trusted-key). If more than one trust root is required, the entries TrustedKey2, TrustedKey3, TrustedKey4, TrustedKey5 may also be used. Take care to specify the 40 hex-digit fingerprint of those trusted keys.
EncryptTo1
The value specifies a key wich is always used in addition to the specified recipient keys. This may be used for an archival key. A second such key may be given using EncryptTo2. Please use the 40 hex-digit fingerprint as value and not a user name or the shorter key-id. [since 3.1.20.7]

S/MIME related settings

DisableUserTrustlist
Any value interpreted as non-zero (e.g. "1") entirely ignores the users trustlist.txt and considers only the global trustlist. [since 3.1.24.0]
SysTrustlistFile
The list of trusted root certificates are distributed in a file named trustlist.txt. This option allows to specify another file for this list. This is needed to avoid overwriting a custom version of the list by a software update. [since 3.1.24.0]
GpgsmCompatibility
Set compatibility flags to work around problems due to non-compliant certificates or data. The flags are given as a comma separated list of flag names and are OR-ed together. Please ask for advise. [since 3.1.23.0]

Private key related settings

Note: These settings do not affect smart card PINs.

CacheTime
The number of seconds a password is cached after its last use. Re-triggered with each use. Defaults to 900 (15 minutes). This entry is looked up under HKCU with a fallback to HKLM.
CacheTimeMax
The number of seconds a password is cached after its first use. Defaults to 3600 (1 hour). This entry is looked up under HKCU with a fallback to HKLM.
MinPasswordLen
The minimum number of characters required for a password. The default is 9. Note that in addition to this value the regular expressions in asymrules.txt and symrules.txt also take effect. [since 3.1.21.1]
SymrulesFile
The pattern defining the rules for symmetric passwords are distributed in a file named symrules.txt. This option allows to specify another file for these pattern. Use only if advised to do so. [since 3.1.21.3]
AsymrulesFile
The pattern defining the rules for passwords to protect private keys are distributed in a file named asymrules.txt. This option allows to specify another file for these pattern. Use only if advised to do so. [since 3.1.21.3]

Network related settings

NtdsKeyserver

The value specifies an Active Directory authenticated LDS server name for OpenPGP keys. If a non-standard port is used it must be given delimited by a colon. Examples: "openpgp-lds", "keyserver.example.com:8389".

Keyserver

A full keyserver specification string; used only if NtdsKeyserver is not set. The default is "ldap:///" to specify an OpenPGP keyserver as part of the AD. In case of initial delays in name resolution with LDAP servers on Windows, it is often useful to use a value like

openpgp-lds:::::starttls,ntds,areconly

instead of NtdsKeyserver or the URL format.

Ldapserver

A full LDAP server specification string. This will be used as the default LDAP server for X.509 certificate lookup. For example

ldap.example.com:::::starttls,ntds

uses the given server in StartTLS mode with AD authentication. To use password based authentication this might be used

ldap.example.com::username:mypassword::starttls

[since 3.1.21.1]

HttpProxy

If set specifies a proxy for HTTP. For example "proxy.local:8080".

LdapProxy

If set specifies a proxy for LDAP. For example "proxy.local:8389".

IgnoreHttpDP

Any value interpreted as non-zero (e.g. "1") disables the use of HTTP CRL distribution points.

IgnoreLdapDP

Any value interpreted as non-zero (e.g. "1") disables the use of LDAP CRL distribution points.

DisableIPv4

Any value interpreted as non-zero (e.g. "1") disables the use of the IPv4 protocol. Used in case of problems with IPv4 connections. [since 3.1.24.0]

DisableIPv6

Any value interpreted as non-zero (e.g. "1") disables the use of the IPv6 protocol. Used in case of problems with IPv6 connections. [since 3.1.24.0]

ResolverTimeout

The timeout value in seconds for DNS requests. The default is 30 seconds. [since 3.1.24.0]

ConnectTimeout

The timeout value in seconds for all HTTP, HTTPS, and other TCP connection attempts. The default is 15 seconds. For LDAP connections the native Windows settings must be used. [since 3.1.24.0]

ConnectQuickTimeout

Like ConnectTimeout but for connection attempts which are required to happen fast. The default is 2 seconds. [since 3.1.24.0]

Smart card related settings

ReaderPort
The smart card reader to use. The GUI has an option to show all detected readers in the settings menu. The exact string needs to be entered. This entry is looked up under HKCU with a fallback to HKLM. If this entry is not set and there is no local override the reader to use is determined by a simple heuristic.
SharePort
Any value interpreted as non-zero (e.g. "1") enables the option pcsc-shared. This allows GnuPG VS-Desktop and the other software to access the same card.
DisableSCD
Any value interpreted as non-zero (e.g. "1") entirely disables smart card support. [since 3.1.20.7]

Windows Explorer related settings

GpgExDefault

The default command available on right-click of unencrypted files or folders. The value must be a string value (REG_SZ) with the Number. [since 3.1.22.0] Valid values are:

  • 0: Help
  • 1: Decrypt & Verify
  • 2: Decrypt
  • 3: Verify
  • 4: Sign & Encrypt
  • 5: Encrypt
  • 6: Sign
  • 7: Import
  • 8: Create Checksums
  • 9: Verify Checksums
  • 11: About

Outlook Add-In related

The Add-In does not directly use config files but takes all parameters from the Registry.

The key for all entries is SOFTWARE\WOW6432Node\GNU\GpgOL below HKEY_LOCAL_MACHINE (HKLM) unless noted otherwise. The type of all entries is string (REG_SZ or REG_EXPAND_SZ).

enableSmime
Disable / Enable S/MIME support.
preferSmime
If S/MIME and OpenPGP certificates are available, S/MIME gets preferred.
searchSmimeServers
Search and import X509 certificates in the configured directory services
replyCrypt
Select crypto settings automatically for reply and forward.
inlinePGP
Send OpenPGP mails without attachments as PGP/Inline.
autoimport
Import any keys included in mails.
autoresolve
Resolve and search for recipient keys automatically.
autosecure
Automatically secure messages if keys are found.
alwaysShowApproval
Always show the security approval dialog.
hideCryptoConfig
Hide the GnuPG-System config settings in the options.
draftEnc
Set this to 1 to enable draft encryption. Without draftKey this will lead to an error until the user sets the draftKey through the settings dialog.
draftKey
The fingerprint of the S/MIME or OpenPGP certificate to use for draft / autosave encryption if draftEnc is enabled. Set this to the special value: "auto" to have GpgOL autoselect the first ultimately trusted secret key on the next Outlook start.

Additional values may be placed by the Add-In under the user registry key but are mostly treated as internal values.

Installer related settings

The installer records the installation directory of the engine under the key SOFTWARE\WOW6432Node\GnuPG below HKLM in an entry named "Install Directory". Note that the key is different from the other GnuPG related keys. For the installation settings see the Installation Page.

Kleopatra settings

Kleopatra settings are documented under: ⇒ Kleopatra Settings