Skip to content

Generating a large (>8KB) key with GnuPG 2.x

A long while ago, I posted a guide on how to compile GnuPG 1.x, for Windows, to generate a large key.
This time, here is a guide on how to compile GnuPG 2.x (2.2.7 at the time of writing) to generate a large key. However, because GnuPG 2 is so hard to compile for Windows, I’ll compile it “only” for Linux. If you’re not on Linux, you can just do this in a virtual machine, it’s practical enough nowadays.

Starting remarks

Before going further, you may have noticed that the title mentions >8KB, not >4KB, even though 4092 bits is the first limit you’ll hit when trying to create a big key. This is because there is a simple solution that doesn’t require compiling if you “only” want a 8192 bits key: simply use the --enable-large-rsa flag, i.e.:

gpg --full-generate-key --enable-large-rsa

This guide might miss dependencies, as I used a Linux install that wasn’t completely new (Kubuntu 18.04, upgraded from 17.04 via 2x do-release-upgrade), although I hadn’t used it much either. Notably, I already had Kleopatra and GnuPG installed (from the distribution-provided packages). If at some points you have dependencies missing, maybe check out the list in the mini-guide there and also simply go for apt-get install gcc. Hopefully, the error messages you may encounter about missing dependencies should be helpful enough in guiding you to the right packages.

Onto the guide per se now.


First, grab the source code for the required packages on this page:
I needed: GnuPG, Libgpg-error, Libgcrypt, Libksba, Libassuan, nPth (surprisingly, I didn’t need Pinentry)

Compile and install everything but GnuPG. For instance, for Libgcrypt:

tar xf libgcrypt-1.8.2.bz2
cd libgcrypt-1.8.2
make && make install

(NB: you might want to also run make test)

Now extract GnuPG’s source code but don’t compile just yet. Open gnupg-2.2.7/g10/keygen.c, and there are 2 lines you need to edit in order to remove the hard-coded 4096 bits cap:
Line 1642, change:

  const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096);

for instance into:

  const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 409600);

(NB: 409600 is way too large, but it doesn’t hurt either)

Line 2119, change:

      *max = 4096;

for instance into:

      *max = 409600;

Those line numbers are given for version 2.2.7, which is the current version as I’m writing those lines. They might move around a bit in future version, see the end of this post for larger snippets.

Then you can compile and install GnuPG. The commands are similar as for the libraries we dealt with earlier, except from one tweak:

cd gnupg-2.2.7
./configure --enable-large-secmem
make test
make install

The --enable-large-secmem flag is what will allow GnuPG to allocate a large enough amount of memory, hence to deal with large keys without crashing.

Generating the key

Run gpg --version to make sure you’re running the compiled version, since your distribution’s version will most likely always be a bit behind (for instance, I just compiled version 2.2.7 and the version from my distribution, which I can still obtain via gpg2 --version, is 2.2.4).

Then you can move on to the key generation, as usual:

gpg --full-generate-key

(if you edited like I did, do not use the –enable-large-rsa flag, as it will still have a size limit of 8912 bits)

If you use the gpg-agent from your distribution’s installation, you’ll get a warning saying gpg-agent is older than gpg: it’s not a problem (but it could be avoided using something like killall gpg-agent && gpg-agent --daemon --pinentry-program /usr/bin/pinentry.

The key generation will take _a lot_ of time. You can speed it up by using the computer (downloading a large file, moving the mouse, typing stuff…), which will help generate entropy.

Once your key is generated, you may want to edit its preferences to make sure compression is enabled. Maybe the GnuPG I compiled didn’t have compression support, but the result was my key had “uncompressed” as the only accepted compression.

gpg --edit-key [keyID]
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP Uncompressed MDC


Fixing “agent_genkey failed: No pinentry”

If you get an error message saying:

gpg: agent_genkey failed: No pinentry
Key generation failed: No pinentry

it means that for some reason gpg-agent failed to load pinentry. Make sure pinentry is installed (apt-get install pinentry-qt should do the trick, or downloading and compiling and installing it from GnuPG’s site, like we did for the other dependencies), then:

killall gpg-agent
gpg-agent --daemon --pinentry-program /usr/bin/pinentry

You might want to use locate pinentry first, to make sure /usr/bin/pinentry is the right path. (thanks to this ticket for pointers to this fix)

Larger code snippets

Here are longer snippets for more context:

Line 1642 is in function static int gen_rsa (int algo, unsigned int nbits, KBNODE pub_root, u32 timestamp, u32 expireval, int is_subkey, int keygen_flags, const char *passphrase, char **cache_nonce_addr, char **passwd_nonce_addr), in the following block:

  int err;
  char *keyparms;
  char nbitsstr[35];
  const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096);

  log_assert (is_RSA(algo));

Line 2119 is in function static unsigned int get_keysize_range (int algo, unsigned int *min, unsigned int *max), in the following block:

      *min = opt.compliance == CO_DE_VS ? 2048: 1024;
      *max = 4096;
      def = 2048;

Why no ECC / Elliptic Curves?

ECC allows for much smaller keys and faster computation than RSA for an equivalent security level. For instance, AES 128 bits has roughly the same security as ECC 256 bits and RSA 3300 bits. But both RSA and ECC are weak to quantum computers and, from what I understood, a quantum computer will need to have an amount of qbits proportional to the size of the key to be able to crack it. Tada! What used to be a weakness of RSA, the key length, turns out to be (kind of) a strength.

This is why I’m still generating an RSA key and not an ECC one. Hopefully, next time I renew my key, I’ll have a post-quantum option.
Sorry for not digging a bit more into details here, I’m redacting this from memory, as struggling with GnuPG’s compilation and writing the rest of this post drained me more than I expected.

Why don’t we also change SECMEM_BUFFER_SIZE?

A link I mentioned earlier suggests increasing SECMEM_BUFFER_SIZE. I suspect this would allow creating even larger keys without running into memory allocation failures. However, this would also allow you to create keys so big that only your modified GnuPG can handle them. I don’t think that’s an acceptable option, but if you really, really want a huge key and don’t care if it’s hard to use practically, I suppose you can go ahead and increase SECMEM_BUFFER_SIZE.

Posted in privacy, programming.

Saving Corsair mouse settings into the mouse

When my nice Logitech MX510 mouse died, I couldn’t find an equivalent replacement at Logitech and eventually went for a Corsair Sabre RGB.

It’s not quite the same, but overall it contains as many usable buttons (the one right under the wheel is just unusable to me) and looks like the wheel won’t catch dirt as easily. It also has lots of lights, which is quite a change coming from a mouse with no LEDs at all (although I’d rather not have those and have a lighter invoice…). The settings (speed, light, button mapping) are quite complete, however they only kick in when the control software (“Corsair Utility Engine”) starts, which I find a bit annoying. But this was also the case, to some extent with my previous mice.

Gladly, there is a feature to store said settings in the mouse. The only trick is: it can be bloody hard to find. It’s a little button with an icon that looks kind of like a memory card, which is located on the right of the left menu and only appear when some conditions are met. So here’s a little “map” in order to easily find it:

Corsair Utility Engine - saving hardware profile

Those are the 3 key points: make sure the mouse is selected (right-most highlighted button yellow), and that the profiles list is selected too (toggled by clicking the left-most highlighted button). Then the 3rd, tiny button should appear and allow you to save your profile into the mouse.

I saved those URLs because those posts helped me, but to be honest I don’t really remember what were their interesting points… Still, credits where due ^^

Posted in hardware, Windows.

Linux Bash scripting: multi-line command and iterating over an array

It’s simple, really, but I rarely use bash so I’m always a little lost when I try to do something not absolutely trivial in it…
I’ll just put my script here and explain below:

images=("pic 1.jpg" \
"pic 2.jpg" \
"pic 3.jpg")

for i in "${images[@]}"
   echo $i
   node ../path/to/myscript.js --source "$i"

What it does is:
– define an array: myArray = ( elem1 elem2 )
– use multiple lines. To do so: when you split your command over multiple lines, end each non-end line with “\” to indicate continuation on the next line
– then iterate over it, echoing each element and running a command (with quotes because the elements of my array contain spaces)

This (very recent) source was helpful: Bash For Loop Array: Iterate Through Array Values

Posted in Linux.

How to compare 2 folders using Windows PowerShell

Just copying here the Windows PowerShell script from this blog post because I really don’t want to ever lose it:

$folderA = Get-ChildItem -Recurse -path C:\folderA\
$folderB = Get-ChildItem -Recurse -path C:\folderB\
Compare-Object -ReferenceObject $folderA -DifferenceObject $folderB

I use 2 different computers to deploy a Serverless project I work on, and I noticed the deployment artifacts had different sizes depending on the computer I deployed from :s So I grabbed an archive from each deployment, unzipped them, and used this to compare them.

It turned out the culprit was Ava, which puts a bunch of js and files in node_modules/.cache/ava. Excluding the whole node_modules/.cache/** from Serverless deployment (serverless.yml > package > exclude) allowed me to shrink the deployment artifact by a few hundreds of kB. On a side note, it appears that Ava leaves behind a lot of trash in this folder, so you may want to purge it manually from time to time.

Posted in JavaScript / TypeScript / Node.js, Windows.

How to disable OneSyncSvc (and other services)

I recently set up a new computer at work, and it uses Windows 10. That famous Windows that gives you even less control over your computer than the previous ones, going decreasingly with every new “Creator Update” or whatever fancy name they call those Service Packs.
As usual, I went to Services to locate and disable those that seem useless. Among those, one stood out: “OneSyncSvc_381d9”. As I tried to disable it via the “Services” control panel, it wouldn’t let me, saying “The parameter is incorrect” whenever I would try to set its startup type to “Disabled” or just “Manual”.

So I looked for another way to disable it, and the registry (if you still don’t know it, just run “regedit”) did the trick. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc_381d9, and then modify the Start DWORD value. 0 means “boot”, 1 means “system” (not sure what those 2 do, I don’t see any service using those values), 2 means start automatically, 3 means start manually, 4 is what interests us here and means disabled.

All other services can be configured there, although OneSyncSvc is actually the only service I didn’t manage to tame via the Services panel, simply by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[service name].

Bonus: little list of useless services that you can most likely smash:
– Connected User Experiences and Telemetry
– Downloaded Maps Manager
– dmwappushsvc

Posted in Windows 10.

How to hide processes from other users in Linux’s “top”

A few months ago, I had to set up a server where a bunch of people would need to connect to directly access a MariaDB SQL database, with also an SSH access for tunneling. A few users would also use that server for other purposes, and I didn’t want everyone to view everyone else’s processes, which to my surprise was possible by default (if any user runs top, they can see everyone’s running processes :s).

Starting with Linux kernel version 3.2, a setting was (finally) added to prevent unprivileged users from seeing each others’ processes. Basically, you need to set the hidepid option to 2 for the /proc filesystem:

nano /etc/fstab
– Find the line starting with “proc”
– Add hidepid=2 to the options

For instance, the line:

proc            /proc   proc    defaults      0       0


proc            /proc   proc    defaults,hidepid=2      0       0

Then don’t forget to save and restart

Note that sometimes the proc line can be missing (I have this case on a VPS), I’m not sure what should be done then… Maybe adding the proc line as quoted above would work (?)

Posted in Linux, servers.

How to disable the Ctrl+Shift keyboard layout switch shortcut in Windows 10

Whoever created this shortcut must probably never play games. That default key combination for switching keyboard layout is so easy to hit by accident, when many, many games will use Shift as the run key and Ctrl as the crouch key.

Anyhow, it can be disabled (or changed, with limited options available though), even though it’s pretty tedious to find. Here’s the screenshot with most of the steps (I just skipped the first one):
Configuring the keyboard switching shortcut in Windows 10

  1. Open Region & Language settings (can be obtained directly by typing that into the Start Menu)
  2. Click “Additional date, time, & regional settings”
  3. Click “Language”
  4. Click “Advanced Settings”
  5. Click “Change language bar hot keys”
  6. Switch to the “Advanced Key Settings” tab
  7. Select “Between input languages” (that should be already selected, though, I think) and click “Change Key Sequence…”
  8. Yay! You’ve arrived! Enjoy 🙂 Note that you can set a shortcut both for switching input language and keyboard layout. I disabled the first and changed the second to something I hope I’ll accidentally hit less often. It’s a pity we can’t fully customize this and must instead choose from only 3 options (or disable)

Posted in Windows 10.

I upgraded to Firefox 57, and it wasn’t so horrible after all

When Firefox 57 “Quantum” (please, please, get rid of that ludicrous name in the near future) was released, I didn’t want to update at first, because so many of my beloved add-ons got destroyed by the move to WebExtensions. Namely, APK Downloader, Cookie Manager+, RefControl, Small Tabs, Tamper Data (and Tamper Data Icon Redux – funny how those 2 never merged), and YesScript. And the speed of Fx 56 wasn’t that bad IMO, particularly on Windows 10. On Windows 7, it was indeed a bit slow at times, but I’m not sure if my weaker config is to blame for this.

There was, however, the concern over security updates. Which is why I started looking at forks, mostly Waterfox, a somewhat long standing project which started in 2011 as a 64 bits build and apparently evolved into a lot more over time, and Basilisk, a new fork brought to us by the same team as Pale Moon just to escape the WebExtensions hell (just like Pale Moon itself was mostly about escaping the UI massacre that happened when Fx decided to copycat Chrome some years ago). Those 2 seemed quite satisfying, so I pretty much intended to stay on Fx 56 and then migrate to either, when security issues would require it.

But there was another problem: more and more sites started to become really unusable on Fx 56. It was so horrible that I would joke some frameworks like Angular got sabotaged in the purpose of making Fx look bad. Sites like Slack, Gmail, AWS (no, I don’t use those personally but I regrettably have to use them at work) would work (badly) for a few minutes, then totally freeze. Or freeze right away. In the end, the choice was either to upgrade to Fx 57, or to use all of those in Vivaldi.

So I started looking for alternatives to my extensions. And I did find a few interesting ones:
– RefControl got replaced by Smart Referer. It’s not exactly the same, notably its default behavior is to send referrers only when staying on the same domain. Which is nice, because it avoids most of the trouble I used to get when forging all my refers with RefControl
– YesScript got replaced by YesScript2. Again it’s not exactly the same, but this time it’s worse: it toggles between non blocking, “half” blocking, and blocking. Half blocking means it will block all external scripts. I guess this is intended against trackers and ads, but since it’s off by default (needs to be enabled per site) it’s not quite efficient against tracking, and for ads (and trackers too) there are way better dedicated add-ons like uBlock and Ghostery. And it sends “full” blocking a click farther away. Still, I didn’t use YesScript that often, so that’s good enough
– NoScript, which I stopped using a while ago in my main profile, is, according to hearsay, having issues in Fx 57. But ScriptSafe, which I’ve been using for a while in Vivaldi, has now come to Firefox 🙂 It also features great functions against tracking and fingerprinting, so I added it to my setup. With scripts enabled
FoxyProxy got fully rewritten, and a lot of users seem unhappy about it. I, however, like the new version, as I find it a lot less messy than the previous one (I suppose having lost a bunch of unimportant features helped ^^). Sure, it’s a bit ugly, but that not the kind of concern people juggling with proxies usually have.

Sadly, I couldn’t find replacements for quite a few:
– APK Downloader is gone :/ But I tested it in Fx 56 and it seemed broken already, so I guess I can’t really count it as a loss caused by Quantum…
– Cookie Manage+ and Tamper Data (and Tamper Data Icon Redux) are gone too. There are ways to accomplish kind of similar things (the developer tools, other weaker cookie management add-ons…), but it really sucks not being able to mess around with the cookies without any limits, or to easily intercept and modify live POST or GET requests on the fly

Last but not least, a special mention for Small Tabs. It made the UI quite more compact and I found no replacement for it either. However, Fx 57 introduced a “Density” setting, which you’ll find at the bottom of your screen in “Customize” mode. It features a “Compact” mode which, while not as compact as Small Tabs, saves pretty much enough space for most of my needs.

Well that covers it, my other extensions uBlock, Ghostery and HTTPS Everywhere were ready for the migration quite some time before the Firefox 57 release, so overall the move wasn’t as catastrophic as I expected. On sites that were not obviously broken, the speed gain from Firefox 57 wasn’t very obvious at first, but after using it for a bit more than a week, it really feels a lot more responsive globally (and notably on Windows 7).
I don’t see any valid reason for sticking to Chrome now that Firefox copied their GUI and their speed, except if you have some irresistible compulsion to keep giving always more power to Big Brother Google… The future of the World is in your hands 👀

Posted in Firefox, Internet.

Configuring the Grub2 boot loader

I had to use Linux for work the last few days, and my previous installation was completely outdated so I reinstalled from scratch, switching distribution in the process (from OpenSUSE to Kubuntu).
Part of the fun in installing Linux on a computer where I still want to mainly use Windows is configuring the bootloader. Apparently, it’s 2017 yet it still has to be done 100% via manually editing configuration files.

The file you want to edit is /etc/default/grub, so:

sudo nano /etc/default/grub

Then the interesting things to change are among those lines:
GRUB_DEFAULT=4 : boot the 5th item in the list (numbering starts at 0, so 5th item is 4, not 5)
GRUB_DEFAULT="Windows 7 (loader)" : boot the item named “Windows 7 (loader)”. NB: for me, for some reason it didn’t work
GRUB_DEFAULT=saved : boot the last operating system you chose (requires to also set GRUB_SAVEDEFAULT=true). NB: for me, the saving failed for some reason so it always loaded the first item :/
GRUB_CMDLINE_LINUX_DEFAULT="" : show console log output when starting up, instead of the static splashscreen (which is the default "quiet splash") (link

After you’ve saved your modifications, you have to run sudo update-grub to apply them, as /etc/default/grub isn’t directly used by Grub but it used to automatically generate Grub’s configuration files (which is /boot/grub/grub.cfg and shouldn’t be manually modified)

More details there:

Bonus 1 my /etc/default/grub file

#GRUB_DEFAULT="Windows 7 (on /dev/sdb1)"
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`

Bonus 2: if you happen to have damaged RAM, you can use Grub to enable BadRAM filtering. Not sure how this works exactly, but the setting is called GRUB_BADRAM

Bonus 3: since you’re here, I assume you’re dual booting. Maybe you’re having an issue with Windows and Linux both messing up your system date. Long story short, run "timedatectl set-local-rtc 1" to make Linux store local time instead of UTC in the hardware clock (well at least that’s how it is for Ubuntu). More details:

Posted in Linux.

Node.js / npm mini cheatsheet

Just some really basic commands, but paradoxically they’re not always obvious to find so hopefully they’ll help some newcomers

Running a script with Node.js:
node myscript.js

Initializing a Node app/package:
Move to the target folder (where you want to place your code) and npm init

Installing dependencies (listed in package.json) for the current package:
npm install

Updating dependencies:
1) Quick and dirty: edit package.json and replace version numbers for the dependencies you want to update with "*", then run
npm install --save, or npm install --save-dev for the devDependencies
2) Normal way: for each package, one by one, run:
npm install package-name --save (or --save-dev)
It happened to me in the past that dependencies wouldn’t update when I ran that, in which case you can try to change their version number as described in 1), only one by one, and you could also try deleting your package-lock.json file
3) npm update is also supposed to update dependencies, in the same way as 1) I remember it failing more often than succeeding, but last time I tried it worked nicely

Removing some dependencies:
Remove their entries from package.json, then run npm prune

Updating global librairies/packages:
npm update -g

Removing a global package:
npm uninstall -g [package name]


Posted in JavaScript / TypeScript / Node.js.