8192 or bigger keys

anon24164251 · September 14, 2013, 8:30pm

Hello, Is there a way to generate keys bigger than 4096? If so, how to do it?

Thank you
Regards

Luis Sta

anon90979041 · September 14, 2013, 11:58pm

Yes. In the command prompt:

C:>gpg --batch --gen-key [Enter]
Key-Type: RSA
Key-Length: 8192
Key-Usage: Sign, Encrypt
Subkey-Type: RSA
Subkey-Length: 8192
Subkey-Usage: Encrypt
Name-Real: Your Name Here
Name-Email: example@address.com
Name-Comment: Comment here.
Passphrase: R3allyG00dP4ssphr4s3//////////
^Z ([Ctrl]+[z], [Enter])

After a minute or so, you should get confirmation that the key was generated successfully.

The ‘subkey’ commands are optional. Only one subkey can be created with this method. Default usage for the main key is ‘Certify’ and cannot be removed. Other usages may be added as shown.

Note: I have run into problems generating keys of 16384-bits. This is probably a hardware problem on my end, as I know it is possible.

The other option is to download the source code, change the limit and compile it yourself. But this way is quicker.

Regards,
Sean C.

anon24164251 · September 15, 2013, 2:13am

Hey hi! thanks for your reply. It did not work for me. Do you know how to modify from source and compile?

anon90979041 · September 15, 2013, 3:54am

You need to download and install a compiler. I started to learn how to do it, but it’s kind of complicated.

When you say it didn’t work, what exactly do you mean? Did you get an error message? One thing I didn’t mention is that you have to type all of the parameters, such as “Key-Type:”, etc.

Regards,
Sean C.

anon90140984 · September 15, 2013, 9:19am

Hi Sean, I tried it on Windows7 64bit - the initial command just hung up. I did a gpg --help and the ‘–batch’ option you wrote doesn’t appear in the help list. Is this a windows - linux difference ?

So I tried the gpg --gen-key command and selected RSA. When asked what key size I wanted, I typed in 8192 and got the response that

‘RSA keysize must be in the range 1024-4096’

(GPA however has a 3072 limit)

anon90979041 · September 15, 2013, 11:48am

When you say “the initial command just hung up”, do you mean that once you typed “C:> --batch --gen-key” and hit enter, you just got a blinking cursor on the next line?

If so, that’s what’s supposed to happen. I don’t think I was clear enough in my original post.

The parameters will not appear on their own. After you hit enter and the cursor drops down to the next line, you need to type out each parameter yourself. So, next you will actually type the whole line “Key-Type: RSA”, then hit enter and type “Key-Length:…” etc.

After you type the last parameter you want and hit enter, on the last line hold [Ctrl] and hit [z] (which should output “^Z”) and hit [Enter] one last time.

You are correct that the “–batch” command does not appear in the “-help” list, but that list is not exhaustive. Here is a link to a more complete list of possible commands:

http://www.gnupg.org/documentation/manuals/gnupg/Option-Index.html#Option-Index

I have never used Linux and have successfully used this method on Win 7 64-bit and Win Vista 32-bit machines with no additional software/tweaks.

Regards,
Sean C.

anon24164251 · September 15, 2013, 6:00pm

It Works! I made it work.

Thank you, I appreciate your time to help.

anon90140984 · September 16, 2013, 9:30pm

Yes, Sean, exactly that, the cursor sat blinking on the next line apparently waiting for a response that I didn’t know how to give.

Following your instructions, I have now made an 8192 bit key and have looked at the doc at the link you gave.

I also found a reference buried in the gnupg.pdf document to a useful paper ‘doc/DETAILS’ in the source distribution which elaborates on some of the points you described.

anon90979041 · September 17, 2013, 9:35am

Great! Glad to hear you both got it working!

Philip, I don’t think I’ve seen the “doc/DETAILS” paper you mentioned. I’ll have to check it out, thanks.

Sorry for the ambiguity in my first post. I’d also like to point out that I didn’t mention expiration dates. I’m not sure if there’s a way to include them in the ‘–batch’ command, but you can always use ‘–edit-key’ to add/change the expiry.

Unfortunately, with this method, there is no way to add additional large subkeys in the future. Changing the source and compiling it would solve this problem by allowing larger keys in the normal generation mode. But, as I said, I haven’t figured out how to do that…yet.

Cheers,
Sean C.

anon90140984 · September 17, 2013, 1:21pm

Sean, in doc/DETAILS, the interesting stuff about key generation starts on line 791 ‘Unattended key generation’. I didn’t create a sub-key nor did I create an expiry date but doc/DETAILS describes the expiry date process.

On line 893, it says ‘The 3 parts of a key. Remember to use UTF-8 here.
If you don’t give any of them, no user ID is created.’ This looks to me like it is referring to the preceding 3 lines where Name-Real, Name-Comment, Name-Email are described. But I didn’t provide a Name-Comment option and the key was generated ok.

I don’t think it refers to the lines which follow because I didn’t supply Expire-Date, Creation-Date or Preferences either.

I also put in a simple, insecure password just to make the typing easy. Afterwards, I used GPA to modify the passphrase using the KeyPass method described in that YouTube clip.

anon90979041 · September 17, 2013, 8:00pm

“I also put in a simple, insecure password just to make the typing easy. Afterwards, I used GPA to modify the passphrase using the KeyPass method…”

Yes, this is basically what I do as well. I’m not too keen on the command prompt displaying the plaintext passphrase during generation, so I usually use a placeholder until I can generate one securely.

Regards,
Sean C.