1024-3072 bit OpenPGP cards

Werner Koch wk at gnupg.org
Wed Aug 5 12:37:52 CEST 2009 

Hi,

I just commited code to allow selection of the key size.  It works by
always asking for the keyseize and presenting the current size as the
default.  A warning is shown once if you try to change the keysize.  I
don't think that a sepeare keysize command makes much sense now.

Here is a sample session:

  Command> generate
  Make off-card backup of encryption key? (Y/n) 
  
  gpg: NOTE: keys are already stored on the card!
  
  Replace existing keys? (y/N) y
  
  Please note that the factory settings of the PINs are
     PIN = `123456'     Admin PIN = `12345678'
  You should change them using the command --change-pin
  
  What keysize do you want for the Signature key? (1024) 2048
  The card will now be re-configured to generate a key of 2048 bits
  NOTE: There is no guarantee that the card supports the requested size.
        If the key generation does not succeed, please check the
        documentation of your card to see what sizes are allowed.
  What keysize do you want for the Encryption key? (2048) 1024
  The card will be re-configured to generate a key of 1024 bits
  What keysize do you want for the Authentication key? (2048) 
  Please specify how long the key should be valid.
           0 = key does not expire
        <n>  = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
  Key is valid for? (0) 
  Key does not expire at all
  Is this correct? (y/N) y
  [...]
  

A failure looks like this:

  [...]
  What keysize do you want for the Encryption key? (1024) 1530
  rounded up to 1536 bits
  The card will now be re-configured to generate a key of 1536 bits
  NOTE: There is no guarantee that the card supports the requested size.
        If the key generation does not succeed, please check the
        documentation of your card to see what sizes are allowed.
  gpg: error changing size of key 2 to 1536 bits: Invalid value
  What keysize do you want for the Encryption key? (1024) 2048
  The card will now be re-configured to generate a key of 2048 bits
  [...]

The warning notice is printed in advance to cover the case that changing
the key attributes does not report an error but the actual key
generation fails at a later point.


On a lower level you can change the keysize using gpg-connect-agent:

  $ gpg-connect-agent
  > /hex
  > scd serialno
  OK
  > scd setattr KEY-ATTR --force 3 1 1024
  OK

This deletes the authentication key from the card and prepares it for
creatiion of a 1024 bit key.  The "--force" ist used to prevent
accidental key deletion.



Salam-Shalom,

   Werner




-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list