Question of a beginner: DSA/ElGamal or RSA/Elgamal with a higher number of encryption?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jun 26 16:39:06 CEST 2009
On 06/25/2009 06:30 AM, Alexander Delau wrote:
> I'm a beginner in encrypting E-Mails. It would bei nice if you could help me
> in my question:
>
> I want to use GnuPG with a masterkey (to sign) and a subkey (to encrypt) on
> Windows XP (GnuPG 1.4.9) and Ubuntu (GnuPG ?.?.?).
>
> Now I'm not sure, what keys i should use after typing "gpg --gen-key
> --expert" and what keys are secure.
>
> DSA/ElGamal: It's the default setting, but DSA only encrypts with 1024bit.
> DSA2: I don't know if it's compatible with other versions.
> RSA/ElGamal: RSA can encrypt with 4096bit, but I read that it is more
> unsecure than DSA.
>
> So can I use the default setting DSA/ElGamal 1024/4096 or should I use RSA
> with a higher bit number?
The defaults are about to change to RSA 2048/2048 (with good reason), so
i think you're right to want to do something different than the current
(old) defaults when creating a key you plan on using for the next
several years.
However, i also echo Robert Hansen's advice to avoid the --expert flag
unless you're really already sure of what you want to do.
So:
* use plain ol' "gpg --gen-key" (don't use --expert)
* select RSA (Sign-Only)
* ask for 2048 bits
* create your key as usual, and get back out of gpg.
Then, assuming your new key is $KEYID,
* gpg --edit-key $KEYID
* addkey
* choose an RSA subkey, for encryption, and make it 2048 bits
This should make gpg do what you want it to do without getting into
--expert territory.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090626/0309ca55/attachment.pgp>
More information about the Gnupg-users
mailing list