SmartPGP 4096-bit RSA on flexSecure

This is essentially the same issue as Apex Flex Vivokey SmartPGP Issues? , except on a flexSecure (thus applet from Github release instead of through Fidesmo). (also don’t want to necrobump… is that still a thing?)

The problem:
I can’t seem to get 4096-bit RSA keys to load onto my device.
I installed SmartPGP-v1.22.2-jc304-rsa_up_to_4096.cap from the SmartPGP releases.
I switched the card to rsa4096: smartpgp-cli switch-rsa4096 -I (which ran without error). I also attempted through key-attr in the gpg --edit-card options—despite this report that it’s insufficient.
Attempting to keytocard any of my RSA4096 subkeys results in gpg: KEYTOCARD failed: Card error.
2048 works fine. I didn’t try any other algorithms.

@singlerider indicated problems with RSA 4096 on Apex Flex in this post; the logged attempt and responses mirror my own.
@StarGate01 indicates rsa4096 was tested.

Has any further testing been performed? Anyone else find success (or issue) with 4096-bit RSA keys in SmartPGP on a flexSecure (or Apex Flex)?

Thanks for the report, I’ll look into this.

A common issue with large keys are the long transfer times. If the connection is wonky in the slightest, GPG instantly trips.

I recommend not using RSA, ans switching to elliptic curves instead. See e.g. for a comparison on key size.


I’ve had a pretty stable connection in my testing, and gave it several attempts. But I’ll try some other algorithms.

That was a great article, thanks. I knew a bit about it but that helped.

p256 seems to work. Rocking that for now, per recommendation in the link on the other thread (given the unavailability of ed25519).

1 Like

Just FYI, I can reproduce the issue with large keys. I’ll look into it, but for the meantime I recommend using ECC. (or 2048 bit keys if you must use RSA)