Registry-Einstellungen (Referenz)

Das hier ist die Kurzreferenz für die Registry-Einstellungen unter Windows. Zusätzlich zu diesem Dokument bieten wir zwei umfassende Handbücher zu diesem Thema an:

Ausführliche Erklärungen Kleopatra-Einstellungen

GnuPG-Engine

Seit Version 3.1.20 ist es möglich, die Konfigurationseinstellungen aus der Windows-Registrierung zu lesen. Dazu werden Meta-Befehle in den Konfigurationsdateien verwendet.

Sofern nicht anders angegeben, ist der Schlüssel für alle Einträge SOFTWARE\WOW6432Node\GNU\GnuPG unter HKEY_LOCAL_MACHINE (HKLM). Als Typ für alle Einträge kommen Strings (Zeichenketten) zum Einsatz (REG_SZ oder REG_EXPAND_SZ), auch für numerische Werte.

Einstellungen für OpenPGP

NewKeyAlgo

Ändert den Standard-Algorithmus für neue Schlüssel. Gültige Werte sind:

  • rsa3072
  • rsa4096
  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1
  • none

Der Wert none verbietet das Erzeugen von neuen Schlüsseln.

DisableWKD

Jeder Wert, der als ungleich Null interpretiert wird (z. B. 1), deaktiviert die automatische Suche nach Schlüsseln im Web Key Directory.

DisableAKR

Jeder Wert, der als ungleich Null interpretiert wird (z. B. 1), deatkviert das automatische Abrufen von Schlüsselservern bei der Prüfung von Signaturen. Der Standardwert ist 1.

AutoKeyImport

Jeder Wert, der als ungleich Null interpretiert wird (z. B. 1), ermöglicht einen Offline-Mechanismus, um einen fehlenden öffentlichen Schlüssel zur Verifizierung der Signatur und für die spätere Verschlüsselung mit diesem Schlüssel zu beschaffen. Wenn diese Option aktiviert ist und eine Signatur einen eingebetteten Schlüssel enthält, wird dieser Schlüssel zur Verifizierung der Signatur verwendet und bei erfolgreicher Verifizierung wird der Schlüssel importiert. Wird zusammen mit der Einstellung IncludeKeyBlock verwendet. [ab 3.1.24.0]

IncludeKeyBlock

Any value interpreted as non-zero (e.g. "1") puts the used public key into a data signature. This embedded key is stripped down to a single user id and includes only the signing subkey and all valid encryption subkeys. This option is the OpenPGP counterpart to the S/MIME feature of embedding the certificates into signatures. It allows the recipient of a signed message to reply encrypted to the sender without first using any online directories to lookup the key. Used together with AutoKeyImport. [since 3.1.24.0]

TrustedKey1
The value specifies a fixed trust root (trusted-key). If more than one trust root is required, the entries TrustedKey2, TrustedKey3, TrustedKey4, TrustedKey5 may also be used. Take care to specify the 40 hex-digit fingerprint of those trusted keys.
EncryptTo1
The value specifies a key wich is always used in addition to the specified recipient keys. This may be used for an archival key. A second and third such key may be given using EncryptTo2 and EncryptTo3. Please use the 40 hex-digit fingerprint as value and not a user name or the shorter key-id. [since 3.1.20.7]

S/MIME related settings

DisableUserTrustlist
Any value interpreted as non-zero (e.g. "1") entirely ignores the users trustlist.txt and considers only the global trustlist. [since 3.1.24.0]
SysTrustlistFile
The list of trusted root certificates are distributed in a file named trustlist.txt. This option allows to specify another file for this list. This is needed to avoid overwriting a custom version of the list by a software update. [since 3.1.24.0]
GpgsmCompatibility
Set compatibility flags to work around problems due to non-compliant certificates or data. The flags are given as a comma separated list of flag names and are OR-ed together. This option should only be set in special cases when advised by the GnuPG.com support. [since 3.1.23.0]

Private key related settings

Note: These settings do not affect smart card PINs.

CacheTime
The number of seconds a password is cached after its last use. Re-triggered with each use. Defaults to 900 (15 minutes). This entry is looked up under HKCU with a fallback to HKLM.
CacheTimeMax
The number of seconds a password is cached after its first use. Defaults to 3600 (1 hour). This entry is looked up under HKCU with a fallback to HKLM.
MinPasswordLen
The minimum number of characters required for a password. The default is 9. Note that in addition to this value the regular expressions in asymrules.txt and symrules.txt also take effect. [since 3.1.21.1]
SymrulesFile
The pattern defining the rules for symmetric passwords are distributed in a file named symrules.txt. This option allows to specify another file for these pattern. Use only if advised to do so. [since 3.1.21.3]
AsymrulesFile
The pattern defining the rules for passwords to protect private keys are distributed in a file named asymrules.txt. This option allows to specify another file for these pattern. Use only if advised to do so. [since 3.1.21.3]

Network related settings

NtdsKeyserver

The value specifies an Active Directory authenticated LDS server name for OpenPGP keys. If a non-standard port is used it must be given delimited by a colon. Examples: "openpgp-lds", "keyserver.example.com:8389".

Keyserver

A full keyserver specification string; used only if NtdsKeyserver is not set. The default is "ldap:///" to specify an OpenPGP keyserver as part of the AD. In case of initial delays in name resolution with LDAP servers on Windows, it is often useful to use a value like 

openpgp-lds:::::starttls,ntds,areconly

instead of NtdsKeyserver or the URL format.

Ldapserver

A full LDAP server specification string. This will be used as the default LDAP server for X.509 certificate lookup. For example 

ldap.example.com:::::starttls,ntds

uses the given server in StartTLS mode with AD authentication. To use password based authentication this might be used 

ldap.example.com::username:mypassword::starttls

[since 3.1.21.1]

HttpProxy

If set specifies a proxy for HTTP. For example "proxy.local:8080" or "authstring@proxy.local:8080"

LdapProxy

If set specifies a proxy for LDAP. For example "proxy.local:8389".

OnlyLdapProxy

If set LDAP will only be accessed through the LDAP proxy.

IgnoreHttpDP

Any value interpreted as non-zero (e.g. "1") disables the use of HTTP CRL distribution points.

IgnoreLdapDP

Any value interpreted as non-zero (e.g. "1") disables the use of LDAP CRL distribution points.

DisableIPv4

Any value interpreted as non-zero (e.g. "1") disables the use of the IPv4 protocol. Used in case of problems with IPv4 connections. [since 3.1.24.0]

DisableIPv6

Any value interpreted as non-zero (e.g. "1") disables the use of the IPv6 protocol. Used in case of problems with IPv6 connections. [since 3.1.24.0]

ResolverTimeout

The timeout value in seconds for DNS requests. The default is 30 seconds. [since 3.1.24.0]

ConnectTimeout

The timeout value in seconds for all HTTP, HTTPS, and other TCP connection attempts. The default is 15 seconds. For LDAP connections the native Windows settings must be used. [since 3.1.24.0]

ConnectQuickTimeout

Like ConnectTimeout but for connection attempts which are required to happen fast. The default is 2 seconds. [since 3.1.24.0]

Smart card related settings

ReaderPort
The smart card reader to use. The GUI has an option to show all detected readers in the settings menu. The exact string needs to be entered. This entry is looked up under HKCU with a fallback to HKLM. If this entry is not set and there is no local override the reader to use is determined by a simple heuristic.
SharePort
Any value interpreted as non-zero (e.g. "1") enables the option pcsc-shared. This allows GnuPG VS-Desktop and the other software to access the same card.
DisableSCD
Any value interpreted as non-zero (e.g. "1") entirely disables smart card support. [since 3.1.20.7]

Windows Explorer related settings

GpgExDefault

The default command available on right-click of unencrypted files or folders. The value must be a string value (REG_SZ) with the Number. [since 3.1.22.0] Valid values are:

  • 0: Help
  • 1: Decrypt & Verify
  • 2: Decrypt
  • 3: Verify
  • 4: Sign & Encrypt
  • 5: Encrypt
  • 6: Sign
  • 7: Import
  • 8: Create Checksums
  • 9: Verify Checksums
  • 11: About

Outlook Add-In related

The Add-In does not directly use config files but takes all parameters from the Registry.

The key for all entries is SOFTWARE\WOW6432Node\GNU\GpgOL below HKEY_LOCAL_MACHINE (HKLM) unless noted otherwise. The type of all entries is string (REG_SZ or REG_EXPAND_SZ). Except for the option "draftKey" the values of the settings can either be "1" or "0".

An additional "!" after the number enforces the setting, otherwise users can change them through the configuration dialog. User changes are stored below HKEY_CURRENT_USER. e.g.: A value of "1!" enforces an option to be enabled.

enableSmime
Disable / Enable S/MIME support. Default: 0
preferSmime
If S/MIME and OpenPGP certificates are available, S/MIME gets preferred. Depends on enableSmime. Default: 0
smimeNoCertSigErr
Text for the error window which appears when "signDefault" and "preferSmime" are configured but no S/MIME key is present. The default text is:
No S/MIME (X509) signing certificate found.
Your organization has configured GpgOL to sign outgoing
mails with S/MIME certificates but there is no S/MIME
certificate configured for your mail address.
Please ask your Administrators for assistance or switch
to OpenPGP in the next dialog.
searchSmimeServers
Search and import X509 certificates in the configured directory services. The directory services need to be configured in Kleopatra or with the Ldapserver registry key of GnuPG. Depends on enableSmime Default: 0
signDefault
Always sign new messages by default
encDefault
Always encrypt new messages by default
replyCrypt
Select crypto settings automatically for reply and forward. So a reply/forward will be signed when the original mail was signed, encrypted when it was encrypted, or both. Default: 1
inlinePGP
Send OpenPGP mails without attachments as PGP/Inline. PGP/Inline means that the text body of the Mail will contain an ASCII armored PGP Message, similar to the Kleopatra Notepad behavior. This option is mostly relevant to help recpients with clients that have no PGP support, as they can copy the contents of the mail to Kleopatra for decryption. Default: 0
alwaysShowApproval
Always show the security approval dialog. Default: 0
autoimport
Import any keys included in mails. Default: 0
autoresolve
Resolve and search for recipient keys automatically. Depending on the GnuPG settings this might include external sources. By default LDAP (LDS) and WKD sources are included in the search. Default: 1
autosecure
Automatically secure messages if keys are found. Depends on autoresolve. Default: 0
hideCryptoConfig
Hide the GnuPG-System config settings in the options. Default: 0
draftEnc
Set this to 1 to enable draft encryption. Without draftKey this will lead to an error until the user sets the draftKey through the settings dialog. Default: 0
draftKey
The fingerprint of the S/MIME or OpenPGP certificate to use for draft / autosave encryption if draftEnc is enabled. Set this to the special value: "auto" to have GpgOL autoselect the first ultimately trusted secret key on the next Outlook start. Depends on draftEnc. No default.
If draftEnc is enabled and draftKey is not set the user will be notified that a key must be set manually.

Additional values may be placed by the Add-In under the user registry key but are mostly treated as internal values.

Installer related settings

The installer records the installation directory of the engine under the key SOFTWARE\WOW6432Node\GnuPG below HKLM in an entry named "Install Directory". Note that the key is different from the other GnuPG related keys. For the installation settings see the Installation Page.

Sofern nicht anderweitig angemerkt, sind diese Seiten: Copyright 2023 g10 Code GmbH. Die Erstellung und Verbreitung wortgetreuer Kopien auf beliebigen Medien ist erlaubt, sofern auch diese Genehmigung erhalten bleibt. Weitere Details im Impressum & Datenschutzerklärung. Diese Seite wurde zuletzt geändert am: 2024-03-19.