gnupg: GPG Configuration
4.3 Configuration files
=======================
There are a few configuration files to control certain aspects of
'gpg2''s operation. Unless noted, they are expected in the current home
directory (option --homedir).
'gpg.conf'
This is the standard configuration file read by 'gpg2' on startup.
It may contain any valid long option; the leading two dashes may
not be entered and the option may not be abbreviated. This default
name may be changed on the command line (gpg-option
--options). You should backup this file.
Note that on larger installations, it is useful to put predefined
files into the directory '/etc/skel/.gnupg' so that newly created users
start up with a working configuration. For existing users a small
helper script is provided to create these files (addgnupghome).
For internal purposes 'gpg2' creates and maintains a few other files;
They all live in the current home directory (option --homedir).
Only the 'gpg2' program may modify these files.
'~/.gnupg'
This is the default home directory which is used if neither the
environment variable 'GNUPGHOME' nor the option '--homedir' is
given.
'~/.gnupg/pubring.gpg'
The public keyring. You should backup this file.
'~/.gnupg/pubring.gpg.lock'
The lock file for the public keyring.
'~/.gnupg/pubring.kbx'
The public keyring using a different format. This file is shared
with 'gpgsm'. You should backup this file.
'~/.gnupg/pubring.kbx.lock'
The lock file for 'pubring.kbx'.
'~/.gnupg/secring.gpg'
A secret keyring as used by GnuPG versions before 2.1. It is not
used by GnuPG 2.1 and later.
'~/.gnupg/secring.gpg.lock'
The lock file for the secret keyring.
'~/.gnupg/.gpg-v21-migrated'
File indicating that a migration to GnuPG 2.1 has been done.
'~/.gnupg/trustdb.gpg'
The trust database. There is no need to backup this file; it is
better to backup the ownertrust values (option
--export-ownertrust).
'~/.gnupg/trustdb.gpg.lock'
The lock file for the trust database.
'~/.gnupg/random_seed'
A file used to preserve the state of the internal random pool.
'~/.gnupg/openpgp-revocs.d/'
This is the directory where gpg stores pre-generated revocation
certificates. The file name corresponds to the OpenPGP fingerprint
of the respective key. It is suggested to backup those
certificates and if the primary private key is not stored on the
disk to move them to an external storage device. Anyone who can
access theses files is able to revoke the corresponding key. You
may want to print them out. You should backup all files in this
directory and take care to keep this backup closed away.
Operation is further controlled by a few environment variables:
HOME
Used to locate the default home directory.
GNUPGHOME
If set directory used instead of "~/.gnupg".
GPG_AGENT_INFO
This variable is obsolete; it was used by GnuPG versions before
2.1.
PINENTRY_USER_DATA
This value is passed via gpg-agent to pinentry. It is useful to
convey extra information to a custom pinentry.
COLUMNS
LINES
Used to size some displays to the full size of the screen.
LANGUAGE
Apart from its use by GNU, it is used in the W32 version to
override the language selection done through the Registry. If used
and set to a valid and available language name (LANGID), the file
with the translation is loaded from 'GPGDIR/gnupg.nls/LANGID.mo'.
Here GPGDIR is the directory out of which the gpg binary has been
loaded. If it can't be loaded the Registry is tried and as last
resort the native Windows locale system is used.