Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Have the GPG factory reset functions propose/default to RSA 4096 bits keys, not 2048 #831

Closed
tlaurion opened this issue Sep 13, 2020 · 9 comments · Fixed by #906
Closed

Have the GPG factory reset functions propose/default to RSA 4096 bits keys, not 2048 #831

tlaurion opened this issue Sep 13, 2020 · 9 comments · Fixed by #906

Comments

@tlaurion
Copy link
Collaborator

@alex-nitrokey @MrChromebox : what approach you prefer?
@MrChromebox
Copy link
Contributor

@kylerankin's input would be good too

@alex-nitrokey
Copy link
Contributor

We are currently using 3072 bit, it should be secure for quite some years and is faster than 4096.
I never created a PR for this as I wasn't sure if this is actually interesting for heads. I you like to include this approach, we are happy to create a PR.

@alex-nitrokey
Copy link
Contributor

3072bit is the gnupg default since version 2.2.22 btw. That is to say, once we have updated gnupg, no workarround is needed anymore.

@tlaurion tlaurion mentioned this issue Sep 14, 2020
Merged
@tlaurion
Copy link
Collaborator Author

tlaurion commented Oct 29, 2020
edited
Loading

@alex-nitrokey LTS is 2.2.21. So changing it to 4096 will need to be done manually prior of generating keys.

@alex-nitrokey
Copy link
Contributor

@alex-nitrokey LTS is 2.2.21. So changing it to 4096 will need to be done manually prior of generating keys.

Do you want me to create a PR for default 4096 based on our approach?

@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 13, 2020
edited
Loading

@alex-nitrokey I think it would be a good idea. Putting my nose in the script to do the above in the next days.

But if that default matches for all, it would mean I will not have to put that into config.user pushed to clients firmware for customized OEM values, which is good. The less the better.

@tlaurion
Copy link
Collaborator Author

Oups, wrong ticket. I meant #771

@techge techge mentioned this issue Nov 24, 2020
Merged
tlaurion added a commit that referenced this issue Dec 2, 2020
@tlaurion
Merge pull request #906 from Nitrokey/gpg-default-keylength
014e592 
Default to 4096 bit for OEM factory reset (fixes #831)
@MrChromebox
Copy link
Contributor

I'm sure I'm missing something, but what's the driving force behind this "issue"? Is a 4096-bit key meaningfully better than 2048-bit now, or in the near future?

@tlaurion tlaurion mentioned this issue Dec 7, 2020
Closed
@techge
Copy link
Contributor

techge commented Dec 8, 2020

I'm sure I'm missing something, but what's the driving force behind this "issue"? Is a 4096-bit key meaningfully better than 2048-bit now, or in the near future?

That's the point, yes. Many organization are considering 2048-bit not secure enough in the near future (that is, the next years) as processing power increases regularly. So using 3072-bit is recommended for new keys and this is the standard for newer gnupg versions as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Default to 4096 bit for OEM factory reset (fixes #831) Nitrokey/heads
4 participants
@tlaurion @MrChromebox @techge @alex-nitrokey