{ pkgs, ... }@all: with all; {
  home.packages = with pkgs; [ pinentry-all ];
  programs.gpg = {
    enable = true;
    package = pkgs.gnupg;
    homedir = "${hyper.home}/vault/gnupg";
    settings = {
      armor = true;
      cert-digest-algo = "SHA512";
      charset = "utf-8";
      default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
      keyid-format = "0xlong";
      list-options = "show-uid-validity";
      no-comments = true;
      no-emit-version = true;
      no-greeting = true;
      no-symkey-cache = true;
      personal-cipher-preferences = "AES256 AES192 AES";
      personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
      personal-digest-preferences = "SHA512 SHA384 SHA256";
      pinentry-mode = "loopback";
      require-cross-certification = true;
      s2k-cipher-algo = "AES256";
      s2k-digest-algo = "SHA512";
      use-agent = true;
      verify-options = "show-uid-validity";
      with-fingerprint = true;
    };
  };
  services.gpg-agent = let 
    min2sec = min: (min * 60);
  in {
    enable = false;
    verbose = true;
    sshKeys = [
      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
    ];
    enableSshSupport = true;
    enableFishIntegration = true;
    defaultCacheTtlSsh = min2sec 60;
    defaultCacheTtl = min2sec 30;
    extraConfig = ''
      allow-loopback-pinentry
    '';
  };
}