2048 or 4096 for new keys? aka defaults vs. Debian [doc patch]

Sylvain beuc at beuc.net
Sat Oct 26 21:40:09 CEST 2013

Hi Werner,

On Sat, Oct 26, 2013 at 02:13:15PM +0200, Werner Koch wrote:
> Instead of discussing these numbers the time could be much better use to
> audit the used software (firmware, OS, libs, apps).

Thanks for your answer.  To foster spending less time on these
discussions, how about this? :)

--- faq.org.orig	2013-10-26 21:37:35.500209973 +0200
+++ faq.org	2013-10-26 21:37:25.340945491 +0200
@@ -244,22 +244,27 @@
    :CUSTOM_ID: what-is-the-recommended-key-size
-    1024 bit for DSA signatures; even for plain Elgamal signatures.
-    This is sufficient as the size of the hash is probably the weakest
-    link if the key size is larger than 1024 bits. Encryption keys may
-    have greater sizes, but you should then check the fingerprint of
-    this key:
+    GnuPG comes with a default recommended preset, which 2048 bits
+    primary RSA key as of 2013.
-    : $ gpg --fingerprint <user ID>
+    There are regularly discussions about using 4096 primary RSA keys.
+    Well, there is no benefit of overly large keys on average
+    computers.  After all the goal is not to have large key but to
+    protect something.  Now, if you want to protect something you need
+    to think like the attacker - what will an attacker do to get the
+    plaintext (or fake a signature)?  Spend millions on breaking a few
+    2k keys (assuming this is at all possible within the next decade)
+    or buy/develop/use a zero-day exploit?
-    As for the key algorithms, you should stick with the default (i.e.,
-    DSA signature and Elgamal encryption). An Elgamal signing key has
-    the following disadvantages: the signature is larger, it is hard
-    to create such a key useful for signatures which can withstand some
-    real world attacks, you don't get any extra security compared to
-    DSA, and there might be compatibility problems with certain PGP
-    versions. It has only been introduced because at the time it was
-    not clear whether there was a patent on DSA.
+    Also, 4096 keys have a few inconveniences: they increase the size
+    of the signatures and thus make the keyrings longer and, worse,
+    computing the web of trust takes much longer - not on your high
+    end desktop machine but on old laptops, and phones where it drains
+    the battery faster.
+    Instead of discussing these numbers the time could be much better
+    use to audit the used software (firmware, OS, libs, apps), which
+    often are the weak link of the security chain.
 ** Why does it sometimes take so long to create keys?


More information about the Gnupg-users mailing list