<- Back to the blog

Scanning PGP Keys on Public Servers

Graham Steel
November 29, 2021

How many non-NIST compliant PGP keys are there on the PGP Keyserver?

As part of the suite of cryptography discovery tools included with Cryptosense Analyzer Platform (CAP), Cryptosense File Scanner looks for cryptographic objects including SSH keys, PGP Keys, X.509 certificates and keystores on any filesystem or container image. Once found, the trace of objects can be uploaded to the Cryptosense Analyzer Platform to get an inventory summary, search for vulnerabilities and check compliance.

At Cryptosense we know that there’s nothing like real-world data for testing cryptography tooling, so we recently gave our File Scanner a spin on a dump of about 5.7 million PGP keys obtained from the public keyserver https://pgp.key-server.io. In particular, we were interested to know how well this key sample complies with the NIST recommendations on key-lengths, which are to use at least 2048 bits for RSA and DSA. 

The key server contains keys but also revocations, so we first had to use CAP to process the scan and remove revoked keys. We also took into account validity dates, which the Cryptosense File Scanner picks up automatically from the PGP key metadata. We excluded keys that do not have an expiry date - leaving only 393 217 keys with expiry dates that are also valid, and unrevoked.

Of the remaining, valid and unrevoked keys on the server, there were 1 348 1024-bit (or less) bit DSA keys and 1 234 1024-bit (or less) RSA keys.

The good news is that this is only a tiny proportion of the valid remaining keys. But it also shows that old, insecure keys do get forgotten about. 
If you have a large IT estate and use PGP, our File Scanner offers a practical way to inventory the keys, no matter how well hidden they are in unexpected places. Get in touch to get a free trial and find out how to deploy it at scale.