OpenPGP key types explained: RSA vs Curve25519 vs P-384

When you generate a new PGP key, the tool asks "RSA-3072? RSA-4096? ECC Curve25519? ECC P-384?" The answer matters less than you might think for security — all four options are unbroken — but it matters a lot for speed, key size, and which clients can read your messages.

RSA — the legacy default

RSA-3072 and RSA-4096 are the workhorses of PGP. RSA has been in use since the 1970s and every PGP-capable client supports it. Keys are large (a 4096-bit private key is roughly 7 KB), key generation is slow (sometimes 30+ seconds in a browser), and signatures and ciphertexts are correspondingly chunky.

Use RSA when you need maximum compatibility — embedded clients, very old GPG versions, regulators that explicitly mandate it.

ECC Curve25519 — the modern default

Ed25519 (signing) and X25519 (encryption) are the modern elliptic-curve replacements. Keys are tiny (a private key is around 32 bytes), key generation is essentially instant, and operations are 5–10× faster than RSA at equivalent security strength.

Compatibility is good and growing — every actively maintained PGP client (GnuPG, ProtonMail, Thunderbird, this app) supports Curve25519. The only holdouts are some embedded HSMs and very old setups.

Use Curve25519 for new keys unless you have a specific reason not to. It is what the OpenPGP standard recommends as of the 2024 RFC update.

ECC P-384 — for compliance regimes

NIST curves (P-256, P-384, P-521) are mathematically similar to Curve25519 but use different parameters chosen by the US National Institute of Standards. They have slightly worse performance and a more controversial provenance — the parameters were not derived in public.

Use P-384 only when a compliance framework explicitly mandates a NIST curve — FIPS 140 government deployments, certain banking standards. For everything else, Curve25519 is the better engineering choice.

A simple rule

• New personal keys: ECC Curve25519.
• Old systems must read your messages: RSA-3072 (the smaller of the two RSA options is fine).
• Compliance audit demands NIST curves: ECC P-384.

What about post-quantum?

All three of the above are vulnerable in theory to a sufficiently large quantum computer (one that does not yet exist publicly). The OpenPGP working group is finalising post-quantum algorithms (ML-KEM and ML-DSA) but they are not yet in mainstream client support. For now, Curve25519 is your best bet — when post-quantum hybrids land, you will rotate then.