PGP Tool

Compare · 5 min read

RSA vs ECC keys — which should you generate?

RSA and elliptic-curve (Curve25519 / NIST) keys both secure PGP, but they trade size, speed, and compatibility differently. Here is how to choose.

When you generate a PGP key you pick an algorithm family: RSA or elliptic-curve cryptography (ECC). Both are secure at recommended sizes. The real difference is efficiency versus backward compatibility.

The core trade-off

RSA security comes from the difficulty of factoring large numbers, so keys must be large — 3072 or 4096 bits — to stay strong. ECC gets equivalent security from far smaller keys: a 256-bit Curve25519 key is roughly as strong as a 3072-bit RSA key, while being much smaller and faster.

Side by side

  • Key size: RSA-3072 vs Curve25519 (256-bit) for comparable security — ECC keys and signatures are dramatically smaller.
  • Speed: ECC key generation, signing, and decryption are faster; RSA verification is fast but signing and keygen are slow.
  • Compatibility: RSA works with virtually every OpenPGP implementation ever shipped. Curve25519 is supported by all modern software (recent GnuPG, Thunderbird, OpenPGP.js) but not by very old installations.
  • Quantum resistance: neither is quantum-safe — both will need post-quantum replacements (ML-KEM / ML-DSA) as those standards roll out.

Which to choose

  • Choose ECC Curve25519 for new keys in almost all cases — smaller, faster, secure, and supported by every actively maintained OpenPGP tool.
  • Choose RSA-4096 only if you must interoperate with legacy systems or a policy mandates RSA.
  • Avoid RSA-2048 for long-lived keys — it meets today's minimum but has less margin than RSA-3072+ or Curve25519.

In this tool, the Generate Keys page defaults to Curve25519 for exactly these reasons; switch to RSA only when compatibility demands it.