2048 Bit RSA Keys
Since the creation of this article, there is now a much more detailed discussion of these issues available:
2048 Bit RSA and the Year 2030
If you generate a public/private keypair with a recent version of GnuPG you get a 2048 bit RSA key by default 1). That fact generates a surprising amount of angst.
Currently (2020) the largest RSA key ever actually broken is 829 bits long2). Using a random cost off the net for AWS compute capacity the cost works out to around one million USD.
So how much harder would it be to break a 2048 bit RSA key?
RFC3766 gives a method that produces an equivalent “symmetric” key strength. This3) website did the work and produced 65 bits for 829 bit RSA and 103 bits for 2048 bit RSA. That's a difference of 38 bits. Every time you add a bit to a symmetric cipher you double the brute force (guessing) effort required to break it. With 38 doublings we have an extra difficulty factor of 275 billion. So it is unlikely that anyone will be breaking 2048 bit RSA any time soon. But what about later?
There are organizations that produce authoritative looking lists of key sizes versus dates. The idea is that you decide how long you want your data to be secure, look up the date and choose the resulting key size. Such lists are unlikely to be better than the sort of guessing anyone could do.
That is particularly true now that we are coming up against the hard physical limits of the silicon based technology we use for computing. Moore's law is no longer useful for predicting future computing capability. Further significant progress will require a new technology; an invention. Such an invention could come anytime between now and never.
Further improvements in software methods of breaking RSA will require an invention as well and the field has kind of gone cold. There have been no significant improvements in 15-20 years. A breakthrough could come any time between now and never.
A plan based on a future invention is no more than wishful thinking. There is no reason to think that more RSA bits could help in any way that would matter. There is no reason to think that another method would somehow be better. As a result I have no rational reason to not accept the default of 2048 bit RSA as suggested by GnuPG.
If you are worried about the possible repercussions of quantum computing there currently are no quantum resistant algorithms available in the OpenPGP standard to choose instead of RSA. Elliptic curve based methods are weaker in the face of quantum computing than RSA. There have been no actual demonstrations of the sort of operations required to break RSA on a quantum computer at even the most trivial level 4). Such a computer does not exist and no one knows how to make one. So the quantum threat to RSA hinges on an invention.