This is essentially the same issue as Apex Flex Vivokey SmartPGP Issues? , except on a flexSecure (thus applet from Github release instead of through Fidesmo). (also don’t want to necrobump… is that still a thing?)
I can’t seem to get 4096-bit RSA keys to load onto my device.
SmartPGP-v1.22.2-jc304-rsa_up_to_4096.cap from the SmartPGP releases.
I switched the card to rsa4096:
smartpgp-cli switch-rsa4096 -I (which ran without error). I also attempted through
key-attr in the
gpg --edit-card options—despite this report that it’s insufficient.
keytocard any of my RSA4096 subkeys results in
gpg: KEYTOCARD failed: Card error.
2048 works fine. I didn’t try any other algorithms.
@singlerider indicated problems with RSA 4096 on Apex Flex in this post; the logged attempt and responses mirror my own.
@StarGate01 indicates rsa4096 was tested.
Has any further testing been performed? Anyone else find success (or issue) with 4096-bit RSA keys in SmartPGP on a flexSecure (or Apex Flex)?
Thanks for the report, I’ll look into this.
A common issue with large keys are the long transfer times. If the connection is wonky in the slightest, GPG instantly trips.
I recommend not using RSA, ans switching to elliptic curves instead. See e.g. https://cheapsslsecurity.com/p/ecc-vs-rsa-comparing-ssl-tls-algorithms/ for a comparison on key size.
I’ve had a pretty stable connection in my testing, and gave it several attempts. But I’ll try some other algorithms.
That was a great article, thanks. I knew a bit about it but that helped.
p256 seems to work. Rocking that for now, per recommendation in the link on the other thread (given the unavailability of ed25519).
Just FYI, I can reproduce the issue with large keys. I’ll look into it, but for the meantime I recommend using ECC. (or 2048 bit keys if you must use RSA)