Package: kxgencert Version: 0.15-2 Severity: important Tags: patch Dear maintainers,
thank you very much for providing kxd as a part of Debian! I recently did a
test setup and noticed that kxgencert creates the ssl certificates used for
secure luks passphrase exchange with 2048 bit which is even hardcoded in the
go file and thus cannot be overridden by a command line flag.
Based on ECRYPT[1] and BSI[2] recommendations, I'd suggest to switch to
4096 bits by default.
Find attached a trivial patch that increases the key size to 4096bit. It
would be great if this patch could make it into Bookworm... :)
Thank you very much for your work!
all the best,
Adi
[1] https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf
[2]
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile
signature.asc
Description: PGP signature
