Registry Settings

This is the concise documentation of the registry settings. For a more detailed version see the verbose description.

For Kleopatra Settings look ⇒ here.

GnuPG Engine

Since version 3.1.20 it is possible to read configuration settings from the Windows Registry. This is implemented using meta-commands in the configuration files.

The key for all entries is SOFTWARE\WOW6432Node\GNU\GnuPG below HKEY_LOCAL_MACHINE (HKLM) unless noted otherwise. The type of all entries is string (REG_SZ or REG_EXPAND_SZ); even for numeric values.

OpenPGP related settings

NewKeyAlgo

Used to change the default algorithm for new keys. Valid values are:

  • rsa3072
  • rsa4096
  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1
  • none

The value "none" disallows the generation of new keys.

DisableWKD

Any value interpreted as non-zero (e.g. "1") disables the use of the Web Key Directory for automatic key lookup.

DisableAKR

Any value interpreted as non-zero (e.g. "1") disables the use of automatic key retrieval from key servers when checking signatures. Default value is 1.

AutoKeyImport

Any value interpreted as non-zero (e.g. "1") enables an offline mechanism to get a missing public key for signature verification and for later encryption to this key. If this option is enabled and a signature includes an embedded key, that key is used to verify the signature and on verification success the key is imported. Used together with IncludeKeyBlock. [since 3.1.24.0]

IncludeKeyBlock
Any value interpreted as non-zero (e.g. "1") puts the used public key into a data signature. This embedded key is stripped down to a single user id and includes only the signing subkey and all valid encryption subkeys. This option is the OpenPGP counterpart to the S/MIME feature of embedding the certificates into signatures. It allows the recipient of a signed message to reply encrypted to the sender without first using any online directories to lookup the key. Used together with AutoKeyImport. [since 3.1.24.0]
DesigRevoker
The value specified shall be the fingerprint of a public OpenPGP allowed to create a revocation certificate for a newly created key. This Designed Revoker Key must exist in the public keyring of the user at the time the user creates a new key. [since 3.2.2.1]
TrustedKey1
The value specifies a fixed trust root (trusted-key). If more than one trust root is required, the entries TrustedKey2, TrustedKey3, TrustedKey4, TrustedKey5 may also be used. Take care to specify the 40 hex-digit fingerprint of those trusted keys.
EncryptTo1
The value specifies a key wich is always used in addition to the specified recipient keys. This may be used for an archival key. A second and third such key may be given using EncryptTo2 and EncryptTo3. Please use the 40 hex-digit fingerprint as value and not a user name or the shorter key-id. [since 3.1.20.7]

S/MIME related settings

DisableUserTrustlist
Any value interpreted as non-zero (e.g. "1") entirely ignores the users trustlist.txt and considers only the global trustlist. [since 3.1.24.0]
SysTrustlistFile
The list of trusted root certificates are distributed in a file named trustlist.txt. This option allows to specify another file for this list. This is needed to avoid overwriting a custom version of the list by a software update. [since 3.1.24.0]
GpgsmCompatibility
Set compatibility flags to work around problems due to non-compliant certificates or data. The flags are given as a comma separated list of flag names and are OR-ed together. This option should only be set in special cases when advised by the GnuPG.com support. [since 3.1.23.0]

Private key related settings

Note: These settings do not affect smart card PINs.

CacheTime
The number of seconds a password is cached after its last use. Re-triggered with each use. Defaults to 900 (15 minutes). This entry is looked up under HKCU with a fallback to HKLM.
CacheTimeMax
The number of seconds a password is cached after its first use. Defaults to 3600 (1 hour). This entry is looked up under HKCU with a fallback to HKLM.
MinPasswordLen
The minimum number of characters required for a password. The default is 9. Note that in addition to this value the regular expressions in asymrules.txt and symrules.txt also take effect. [since 3.1.21.1]
SymrulesFile
The pattern defining the rules for symmetric passwords are distributed in a file named symrules.txt. This option allows to specify another file for these pattern. Use only if advised to do so. [since 3.1.21.3]
AsymrulesFile
The pattern defining the rules for passwords to protect private keys are distributed in a file named asymrules.txt. This option allows to specify another file for these pattern. Use only if advised to do so. [since 3.1.21.3]

Network related settings

NtdsKeyserver

The value specifies an Active Directory authenticated LDS server name for OpenPGP keys. If a non-standard port is used it must be given delimited by a colon. Examples: "openpgp-lds", "keyserver.example.com:8389".

Keyserver

A full keyserver specification string; used only if NtdsKeyserver is not set. Up to version 3.1.26 the default was "ldap:///" to specify an OpenPGP keyserver as part of the AD. Since then it is "none", i.e. no keyserver is configured as default any more. In case of initial delays in name resolution with LDAP servers on Windows, it is often useful to use a value like 

openpgp-lds:::::starttls,ntds,areconly

instead of NtdsKeyserver or the URL format.

Ldapserver

A full LDAP server specification string. This will be used as the default LDAP server for X.509 certificate lookup. For example 

ldap.example.com:::::starttls,ntds

uses the given server in StartTLS mode with AD authentication. To use password based authentication this might be used 

ldap.example.com::username:mypassword::starttls

[since 3.1.21.1]

HttpProxy

If set specifies a proxy for HTTP. For example "proxy.local:8080" or "authstring@proxy.local:8080"

LdapProxy

If set specifies a proxy for LDAP. For example "proxy.local:8389".

OnlyLdapProxy

If set LDAP will only be accessed through the LDAP proxy.

IgnoreHttpDP

Any value interpreted as non-zero (e.g. "1") disables the use of HTTP CRL distribution points.

IgnoreLdapDP

Any value interpreted as non-zero (e.g. "1") disables the use of LDAP CRL distribution points.

DisableIPv4

Any value interpreted as non-zero (e.g. "1") disables the use of the IPv4 protocol. Used in case of problems with IPv4 connections. [since 3.1.24.0]

DisableIPv6

Any value interpreted as non-zero (e.g. "1") disables the use of the IPv6 protocol. Used in case of problems with IPv6 connections. [since 3.1.24.0]

ResolverTimeout

The timeout value in seconds for DNS requests. The default is 30 seconds. [since 3.1.24.0]

ConnectTimeout

The timeout value in seconds for all HTTP, HTTPS, and other TCP connection attempts. The default is 15 seconds. For LDAP connections the native Windows settings must be used. [since 3.1.24.0]

ConnectQuickTimeout

Like ConnectTimeout but for connection attempts which are required to happen fast. The default is 2 seconds. [since 3.1.24.0]

Smart card related settings

ReaderPort

The smart card reader to use. The GUI has an option to show all detected readers in the settings menu. The exact string – or at least the exact start of the string, if there is no risk of mix-up – needs to be entered.

The entry ReaderPort is looked up under HKCU with a fallback to HKLM. If this entry is not set and there is no local override the reader to use is determined by a simple heuristic.

SharePort

Any value interpreted as non-zero (e.g. "1") enables the option pcsc-shared. This allows GnuPG VS-Desktop and the other software to access the same card.

DisableSCD

Any value interpreted as non-zero (e.g. "1") entirely disables smart card support. [since 3.1.20.7]

Windows Explorer related settings

GpgExDefault

The default command available on right-click of unencrypted files or folders. The value must be a string value (REG_SZ) with the Number. [since 3.1.22.0] Valid values are:

  • 0: Help
  • 1: Decrypt & Verify
  • 2: Decrypt
  • 3: Verify
  • 4: Sign & Encrypt
  • 5: Encrypt
  • 6: Sign
  • 7: Import
  • 8: Create Checksums
  • 9: Verify Checksums
  • 11: About

Outlook Add-In related

The Add-In does not directly use config files but takes all parameters from the Registry.

The key for all entries is SOFTWARE\WOW6432Node\GNU\GpgOL below HKEY_LOCAL_MACHINE (HKLM) unless noted otherwise. The type of all entries is string (REG_SZ or REG_EXPAND_SZ). Except for the option "draftKey" the values of the settings can either be "1" or "0".

An additional "!" after the number enforces the setting, otherwise users can change them through the configuration dialog. User changes are stored below HKEY_CURRENT_USER. e.g.: A value of "1!" enforces an option to be enabled.

enableSmime
Disable / Enable S/MIME support. Default: 0
preferSmime
If S/MIME and OpenPGP certificates are available, S/MIME gets preferred. Depends on enableSmime. Default: 0
smimeNoCertSigErr
Text for the error window which appears when "signDefault" and "preferSmime" are configured but no S/MIME key is present. The default text is:
No S/MIME (X509) signing certificate found.
Your organization has configured GpgOL to sign outgoing
mails with S/MIME certificates but there is no S/MIME
certificate configured for your mail address.
Please ask your Administrators for assistance or switch
to OpenPGP in the next dialog.
searchSmimeServers
Search and import X509 certificates in the configured directory services. The directory services need to be configured in Kleopatra or with the Ldapserver registry key of GnuPG. Depends on enableSmime Default: 0
signDefault
Always sign new messages by default
encDefault
Always encrypt new messages by default
replyCrypt
Select crypto settings automatically for reply and forward. So a reply/forward will be signed when the original mail was signed, encrypted when it was encrypted, or both. Default: 1
inlinePGP
Send OpenPGP mails without attachments as PGP/Inline. PGP/Inline means that the text body of the Mail will contain an ASCII armored PGP Message, similar to the Kleopatra Notepad behavior. This option is mostly relevant to help recpients with clients that have no PGP support, as they can copy the contents of the mail to Kleopatra for decryption. Default: 0
alwaysShowApproval
Always show the security approval dialog. Default: 0
autoimport
Import any keys included in mails. Default: 0
autoresolve
Resolve and search for recipient keys automatically. Depending on the GnuPG settings this might include external sources. By default LDAP (LDS) and WKD sources are included in the search. Default: 1
autosecure
Automatically secure messages if keys are found. Depends on autoresolve. Default: 0
hideCryptoConfig
Hide the GnuPG-System config settings in the options. Default: 0
draftEnc
Set this to 1 to enable draft encryption. Without draftKey this will lead to an error until the user sets the draftKey through the settings dialog. Default: 0
draftKey
The fingerprint of the S/MIME or OpenPGP certificate to use for draft / autosave encryption if draftEnc is enabled. Set this to the special value: "auto" to have GpgOL autoselect the first ultimately trusted secret key on the next Outlook start. Depends on draftEnc. No default.
If draftEnc is enabled and draftKey is not set the user will be notified that a key must be set manually.

Additional values may be placed by the Add-In under the user registry key but are mostly treated as internal values.

Installer related settings

The installer records the installation directory of the engine under the key SOFTWARE\WOW6432Node\GnuPG below HKLM in an entry named "Install Directory". Note that the key is different from the other GnuPG related keys. For the installation settings see the Installation Page.

Unless otherwise noted, these web pages are: Copyright 2024 g10 Code GmbH. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See the Legal Notice & Privacy Policy for details. This page was last changed on 2024-05-22.