Friday, April 15, 2011

8192-bit GPG Certification Key - Why and How

I generated my primary key, the certification key with an 8192-bit RSA key to help ensure that it lasts for quite some time. I figure that this should prove adequate until ECC is integrated into the OpenPGP specification and a majority of applications start supporting it. I keep this key very well protected and excluded from the set of private keys I use regularly.

Now for the how. GPG does not permit generation of 8192-bit keys normally. I found something somewhere hinting at using the batch mode of GPG key generation, but do not recall where. An example command-set that will get you a 8192-bit RSA signing key:

gpg --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 8192
Name-Real: ME
Name-Comment: COMMENT
Name-Email: EMAIL
Passphrase: PASSWORD

To segregate my certification key from the other used keys, I exported the secret portion of the subkeys using --export-secret-subkeys, wiping out the overall key, then re-importing the 'subkey' file. One downside to this sort of mechanism is that it isn't quite OpenPGP compliant and other tools such as APG cannot use the subkeys file (they complain about the missing primary key).

No comments: