Day 48 - Updating my RSA keys to 4096 bit after reading Gert's article

I came across this article yesterday, which urges everyone to move from RSA to Ed25519, EC-based public keys. Totally legit article, and covers all possible corner cases.

I was using 2048 bits RSA keys till now, I have updated them to a 4096 bit key now. An Ubuntu 14.04 LTS server refuses to accept Ed25519 keys. When specifying the pubkey protocols that it understands, it says rsa, 535, blen and one other suite. The OpenSSH version is 6.6, and the post says that anything about 6.5 should support Ed25519 keys. I need to investigate this.

There is a sherr size difference in the RSA keys and the Ed25519 keys. Although both afford the same amount of security, the Edwards Curve keys are much much smaller in size.

A 4096 RSA keypair is 4184 B long. The private key is by far the larger file. Now, come to the Edwards CUrve and a whopping 10-fold decrease. The keypair is 570 B long, yes, that’s both the public key and the private key!

Although support for Ed25519 is patchy right now, I am sure they will take care of this in the future versions of OpenSSH.

One slight issue that I ran into was when I removed the old RSA key from the server and tried logging in with the brand new 4096 bit RSA key, it said “sign_and_send_pubkey: signing failed: agent refused operation”. This was because the SSH Agent (which was GNOME Keyring in my case, a default Ubuntu installation) was refusing to sign this 4096 bit RSA key. A quick sudo apt-get remove --purge gnome-keyring and system restart removed that completely, and now the agent is nothing fancy and asks for password from within the terminal itself.

I am obviously holding on to my old key just yet, it will probably take a long time before I can delete those files having completely switched to 4096 bit keys. Probably, not even then, there just might be an esoteric old and long forgotten computer with Ubuntu installed on it, where the legacy keys are added. There’s no harm in keeping the legacy keys as long as you are not going to (even accidentally) add them to a production server.

POST #48 is OVER