This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Re:Key ID size

Posted by: Administrator on June 30, 2004 09:33 AM
Great column. GPG runs easily from the command line & if your email client has good integration, you'll rarely need to do much with it. But for those who need a GUI crutch, <A HREF="" title="">GPA</a> does nicely.

When using PGP, I used to just go for the highest suggested keysize possible. I now chuckle when I get signed email from people who go higher than that still. It is often wasted space + computation time. The GPG handbook says:

Key size nevertheless affects encryption and decryption speed since the cost of these algorithms is exponential in the size of the key. Larger keys also take more time to generate and take more space to store. Ultimately, there are diminishing returns on the extra security a large key provides you. After all, if the key is large enough to resist a brute-force attack, an eavesdropper will merely switch to some other method for obtaining your plaintext data. Examples of other methods include robbing your home or office and mugging you. 1024 bits is thus the recommended key size. If you genuinely need a larger key size then you probably already know this and should be consulting an expert in data security.

I would suggest NOT keeping your key on the harddrive. Instead, keep it on<nobr> <wbr></nobr>/mnt/floppy or a USB stick. Added bonus: You'll be able to use GPG from anywhere. For the TRULY paranoid, use the <A HREF="" title="">Tinfoil Hat Linux</a> bootable distribution on untrusted machines.

The passphrase is often the weak link. It is difficult to get a passphrase with the same security or better as your key. See <A HREF="" title="">the passphrase FAQ</a>


Return to CLI magic: The keys to GnuPG