aes-mode, RSA

Robert J. Hansen rjh at sixdemonbag.org
Thu Sep 13 21:41:58 CEST 2018


Wayne asked me off-list how to ensure RSA-2056 or greater was being used.

First, it's a little weird: normally we talk of RSA-2048, not -2056.
But never mind, the answer is the same each way.

When sending email to another person, you use their public key for the
encryption.  Your own key isn't used at all for encryption (unless you
include yourself on the recipients list).

To check a certificate, use --list-key and the ID of the certificate you
want to check.  For instance, my certificate is

=====
rjh at pop-os:~$ gpg --list-key 1DCBDC01B44427C7

pub   rsa3072/1DCBDC01B44427C7 2015-07-16 [SC]
      CC11BE7CBBED77B120F37B011DCBDC01B44427C7
uid                 [ultimate] Robert J. Hansen <rjh at sixdemonbag.org>
uid                 [ultimate] Robert J. Hansen <rob at hansen.engineering>
uid                 [ultimate] Robert J. Hansen <rob at enigmail.net>
sub   rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub   ed25519/A83CAE94D3DC3873 2017-04-05 [S]
sub   cv25519/AA24CC81B8AED08B 2017-04-05 [E]
=====

Cut-and-paste that into a text document (Notepad, Atom, whatever).
Remove any line that doesn't start with "pub" or "sub".

=====
pub   rsa3072/1DCBDC01B44427C7 2015-07-16 [SC]
sub   rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub   ed25519/A83CAE94D3DC3873 2017-04-05 [S]
sub   cv25519/AA24CC81B8AED08B 2017-04-05 [E]
=====

Now remove anything that doesn't end with the letter "E" somewhere in
brackets.  "[SCE]" is okay, but "[SC]" isn't.

=====
sub   rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub   cv25519/AA24CC81B8AED08B 2017-04-05 [E]
=====

Presto.  I have two encryption subkeys.  Now look at the second column:
one starts with "rsa3072", denoting a 3072-bit RSA key.  The other,
cv25519, is an elliptical curve key -- not what you want.

By default, GnuPG will use the newest encryption subkey.  That means if
you were to type in this:

=====
rjh at pop-os:~$ gpg --recipient 1DCBDC01B44427C7 --encrypt foo.txt
=====

... GnuPG would use my cv25519 subkey, since it's the newest.  You can
override this.  To the right-hand side of my RSA key you'll see an
identifier for it, "DC0F82625FA6AADE".  To override GnuPG's choice of
subkeys, specify the specific subkey's identifier and add an exclamation
point to the end ("!").  This is how you tell GnuPG "no, really, use
this one".

=====
rjh at pop-os:~$ gpg --recipient DC0F82625FA6AADE! --encrypt foo.txt
=====

Hope this helps!



More information about the Gnupg-users mailing list