does gpg cope with very large key sizes

David Shaw dshaw at
Thu Sep 10 05:09:49 CEST 2009

On Sep 9, 2009, at 6:43 PM, Philippe Cerfon wrote:

> Hi list and GnuPG developers!
> Let me introduce myself,... I'm Philippe Cerfon and I'm currently  
> taking some crypto-lectures... including all that fancy algorithms  
> and so on ;-)
> Out of curiosity I was starting some test series on how key creation  
> time and encryption/signing time relates to key sizes.
> I soon found out that gpg puts a limit on keys at 4096 bits which is  
> surely reasonable for real world but somewhat disturbing my test.
> I was looking into the gnupg mailing list archives and found out  
> that gpg is said to be able to work with larger keys. I've also seen  
> that this topic is well somewhat critical, so to say it in  
> advance,.. this only for trying and playing :)
> So I grepped the sources (for both version 1.x and 2.x) and found  
> that the limit is enfored here:
> g10/keygen.c:  unsigned nbits, min, def=2048, max=4096;


> So all I must to is e.g. set max = 65536 or even something higher ;-)
> Right so far?

Right, but you may be surprised how long it takes to generate a really  
massive key.  The key generation code is single-threaded, and  
generally not optimized for really big keys.

> So my questions now are:
> - Is it done with changing the max or would I have to change some  
> other places too in order to make everything work correctly (e.g.  
> these max_length's or so)?

You should be okay with changing the ones in keygen.c.

> - Or is in everything ok,.. and there's just this max=something in  
> g10/keygen.c where you save users from shooting into their feets by  
> creating to large keys but nothing else?

Pretty much true if your goal is to just do performance testing with  
different sizes.  I certainly wouldn't actually use such a key in the  
real world, though.


More information about the Gnupg-devel mailing list