8k Key Generation via Keychain Access not possible + 8k key creation via Terminal not working
GPG Keychain Access 1.1.2 (3772107) (848n)
Only just come across this tool as I'm ex Windows now using Mavericks
Please describe what you did expect instead
It looks I can generate 8k keys via the command line/Terminal app but I was surprised that the front-end doesn't accommodate. Is there a reason and will i have a problem if I generate an 8k key ?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Steve on 19 Sep, 2014 11:50 AM
Hi Dave,
well gnupg defaults to 2048 bit keys currently. GPG Suite (nightly) and next stable release do default to 4096 bit keys. While 8k keys do exists, we see little practical benefits above 4k keys. So we do not offer a UI solution. If you really know what you are doing and have a real need for a 8k key, you can always fall back to the Terminal.
All the best, steve
2 Posted by JonasHansen on 08 Nov, 2014 06:25 PM
I just want to point out that knowlingly lowering the overall security in the gpgtools is a really bad call, both because some the primary goal for your app should be as great security as possible, beacuse the extra clock cycles are neglible and because several crypto experts has commented that we should already now be defaulting to 8k keys.
3 Posted by Baris Kayadelen on 10 Nov, 2014 09:07 AM
Hi,
I tried to generate 8K key using terminal. During password phase it failed. Looks like max support 4K :
Please select what kind of key you want:
(1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
RSA keys may be between 1024 and 8192 bits long.
What keysize do you want? (2048) 8192
Requested keysize is 8192 bits
Please specify how long the key should be valid.
0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 4y
Key expires at Fri Nov 9 10:50:43 2018 EET
Is this correct? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: keysize invalid; using 4096 bits
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: keysize invalid; using 4096 bits
gpg: key xxxxxxx marked as ultimately trusted
public and secret key created and signed.
Support Staff 4 Posted by Steve on 11 Nov, 2014 11:43 AM
Hi Jonas,
can you link some of the crypt experts suggesting 8k keys as a default?
The current debate still seems to be about 2k vs. 4k keys (gnupg defaults to 2k). We've disabled 1k keys in the beta and set the default to 4k keys. So we have not "knowingly lowered the overall security". Quite the opposite is true. We have changed our default from 2048 to 4096.
We'll look into the 8k Terminal issue reported by Baris soon.
5 Posted by Baris Kayadelen on 14 Jan, 2015 08:39 AM
Hi Steve,
GPG Suite Beta 4 still have a problem creating 8K signatures. Are there any news about this issue?
Support Staff 6 Posted by Luke Le on 13 Feb, 2015 06:02 PM
Hi Baris,
we've since released Beta 5 and it's very much possible that the issue is fixed.
Could you test with Beta 5 and let us know what you find?
Thanks.
7 Posted by Baris Kayadelen on 14 Feb, 2015 11:48 AM
Hi Luke,
I downloded last version of GPG Suite Beta 5 and tried to generate 8k keys. It seems the problem continues. My OS and gpg version are below.
Mac OS X Yosemite 10.10.2
GPGMail 2.5b5 Built 891b
gpg (GnuPG/MacGPG2) 2.0.26
GPG Keychain Version 1.2b5 (1010b)
gpg (GnuPG/MacGPG2) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
RSA keys may be between 1024 and 8192 bits long.
What keysize do you want? (2048) 8192
Requested keysize is 8192 bits
Please specify how long the key should be valid.
0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 4y
Key expires at Wed Feb 13 13:35:12 2019 EET
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: XXXX XXXXXXX
Email address: [email blocked]
Comment:
You selected this USER-ID:
"XXXX XXXXXXX [email blocked]"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: keysize invalid; using 4096 bits
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: keysize invalid; using 4096 bits
8 Posted by Ville Määttä on 17 Feb, 2015 11:03 PM
Hi Baris, Jonas,
… and others asking for 8192 keys. Please do not. They don't add to your security in the least. They cause issues with compatibility. They cause other issues. They are not enabled in the upstream official GPG release for many reasons. Sometimes someone rebuilds GPG to allow 8192 keys but it is not possible by default. For a reason.
It will not increase security and all it will achieve is problems. So please just use 4096 keys if you want a large RSA key. In the future you will get the option of using ECC keys which will increase the encryption quality without increase, and in fact with a decrease, in key size.
Steve closed this discussion on 27 Feb, 2015 03:06 PM.
Steve closed this discussion on 26 Mar, 2015 03:02 PM.