Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardening RSA keys for PKI and SSH #3593

Merged
merged 7 commits into from Dec 11, 2017
Merged

Hardening RSA keys for PKI and SSH #3593

merged 7 commits into from Dec 11, 2017

Conversation

ghost
Copy link

@ghost ghost commented Nov 19, 2017

Hello,

For security reasons, I've :

  • added RSA 16384 for PKI
  • added RSA 4096 for SSH
  • switched the default SSH to 2048 because it's the default value when we use ssh-keygen

Regards

@jefferai
Copy link
Member

jefferai commented Dec 4, 2017

I'll merge this if you remove the 16384 bit value for RSA. I'm wary of people that don't really know what they're doing selecting this because it exists and such computations could bring a Vault server to its knees (remember, it's a shared process). I know of no evidence that such high bit values are necessary (usually if you need better security the answer is "don't use RSA any more"); even 8192 bits are not often seen in the wild, in favor of other key types (such as much smaller and faster elliptic curve types).

@jefferai jefferai added this to the 0.9.1 milestone Dec 4, 2017
@jefferai jefferai merged commit c1c052f into hashicorp:master Dec 11, 2017
@ghost ghost deleted the hardening-keys branch December 11, 2017 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants