An overview of the current state of GnuPG for e-mail encryption and signing:

TL;DR: Use ECC-based keys (Ed25519, Curve25519) as they are the future-default of GPG, smaller and faster than RSA, and Curve25519 is widely used by many different projects. If you use modern E2EE instant messengers for personal communication, there is likely no need to switch to GPG.


I'm guessing you are already aware of this, but in case you are not, there is a promising alternative in the marking that might be worth keeping an eye out for:


I don't understand how can you recommend Ed25519, Curve25519 against RSA for emails encryption when it is weaker than RSA against Quantum computer.

Could you please explain me why?


It is likely that every kind of encryption scheme we use can be broken in future (including RSA). However, at the moment, we don't have any quantum computers that can break Curve25519 or other strong ECC-based ciphers. Before this changes, GPG (and other tools) has to provide new post-quantum crypto. Then, we also have to change recommendations.

Besides, this is also true for TLS. Breaking the key exchange (e.g., ECDHE) likely breaks forward security.


I disagree with you. ECC-based ciphers and RSA are not at the same level against quantum computer.

From the read I did, the key length matter and a 4096 RSA bits key required a stronger quantum computer than a 256-512 ECC bits key.

That is why I think RSA with a key of 4096 bits is more future proof than ECC 256 bits for GPG.

Nice article!

Did you check out Autocrypt? The Thunderbird extension doesn’t require GnuPG but still produces OpenPGP-compatible messages. It looks vastly simpler than Enigmail and uses Ed25519 keys by default.


We didn't check it, however, parts of it are used in Enigmail.

Since it is "EARLY ACCESS, MAY CONTAIN BUGS!" and there is likely no security audit, we likely won't test it until this changes.


Yes, it's in our article ("No current standard for publishing your public key"):

"[…] At the moment, there is an informational draft “OpenPGP Web Key Directory (version 08)”, and an experimental RFC 7929 (DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP). Other people (and InfoSec Handbook) publish their keys via their own web servers, or services like Keybase."

So these newcomers are either a draft or experimental.

> So these newcomers are either a draft or experimental.

True although WKD is simple, widely implemented and quite secure. On the other hand RFC 7929 is implemented only in GnuPG and without DNSSEC validation. As for now, in my opinion, they’re not comparable.

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.