GNU+Linux command memo

Generating 16k RSA key pairs with GnuPG 2.x

Créer une paire de clé OpenPGP / GPG de plus de 4096 bits via GnuPG pour mieux résister au déchiffrement par ordinateur quantique.

Update (2018-08-12): […] a paper titled Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, […] gives some interesting figures, notably solving a 256 bits Elliptic Curve Discrete Logarithm Problem (ECDLP) it would take 2330 qubits, vs 4719 qubits for a 521 bits ECDLP, 6146 qubits for a 3072 bits RSA and 30722 qubits for a 15360 bits RSA.

It seems useful to make larger than 4k RSA key pairs. Unfortunately, standard GnuPG (i.e. version 2.2.25) program won’t allow you to generate them. The 1st link mentioned details how to patch GnuPG to unlock the setting. But if you don’t want to take the time to recompile the tool (like me) you can use Arch / Artix GNU+Linux distribution and install an AUR package that will patch and compile it for you.

# pacman -S gnupg-large-rsa
$ gpg --enable-large-rsa --full-generate-key

Then select an RSA key type and write 16384 as key size.

It will required quite some entropy, that you can generate via random keyboard typing for instance, and around 3,5 Go or free RAM. [1]

Once done, the generated key pair can be used everywhere.

Beware that encrypting a simple text email might take notable seconds (around 3-4s) and deciphering also (around 1s).

I was using 4096 bit keys since over 15 years and I’ve been taught that security is not a fact but a process, that have to be continuously reinforced.

1. Using a 4 Go notebook, I had to reboot and open nothing else than 2 terminals to keep the RAM free in order to get this many minutes process completed