-
-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Have the GPG factory reset functions propose/default to RSA 4096 bits keys, not 2048 #831
Comments
@kylerankin's input would be good too |
We are currently using 3072 bit, it should be secure for quite some years and is faster than 4096. |
3072bit is the gnupg default since version 2.2.22 btw. That is to say, once we have updated gnupg, no workarround is needed anymore. |
@alex-nitrokey LTS is 2.2.21. So changing it to 4096 will need to be done manually prior of generating keys. |
Do you want me to create a PR for default 4096 based on our approach? |
@alex-nitrokey I think it would be a good idea. Putting my nose in the script to do the above in the next days. But if that default matches for all, it would mean I will not have to put that into config.user pushed to clients firmware for customized OEM values, which is good. The less the better. |
Oups, wrong ticket. I meant #771 |
Default to 4096 bit for OEM factory reset (fixes #831)
I'm sure I'm missing something, but what's the driving force behind this "issue"? Is a 4096-bit key meaningfully better than 2048-bit now, or in the near future? |
That's the point, yes. Many organization are considering 2048-bit not secure enough in the near future (that is, the next years) as processing power increases regularly. So using 3072-bit is recommended for new keys and this is the standard for newer gnupg versions as well. |
@alex-nitrokey @MrChromebox : what approach you prefer?
The text was updated successfully, but these errors were encountered: