Refreshing private key

Daniel Kahn Gillmor dkg at
Thu Dec 18 17:49:27 CET 2014

On 12/18/2014 10:24 AM, Robert J. Hansen wrote:
>> My current key is 2048 bits in length and I would like to have
>> something that is closer to 8192 bits in length. Is there a way that
>> I can accomplish this...
> Definitely not from GnuPG, and probably not from without it, either.

There are clearly tools that you can use to make larger keys than
4096-bit RSA, e.g. gnutls-bin + monkeysphere:

certtool -p --bits 8192 | pem2openpgp 'Test User <test at>'

(this will produce a binary-formatted OpenPGP key on stdout, so you
probably want to send it to a file or something)

but I don't recommend trying to do this, because these larger RSA keys
are expensive to use compared to the marginal extra security, and their
signatures are large.

I recommend sticking with 4096-bit RSA for now; for stronger keys you'll
eventually want to move to a large ECC key (though the choices we have
at the moment for ECC have some shadow of suspicion over them).

> Further, you cannot change the length of the primary subkey on a
> certificate.

"primary subkey" doesn't make much sense.  I'm pretty sure Robert means
"primary key".


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141218/12dbf780/attachment.sig>

More information about the Gnupg-users mailing list