Skip to main content

Enable strong RSA key requirement (breaks Hyper-V VMs)

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (PKCS 1 2). RSA encryption keys play a crucial role in securing communications over the internet. The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption. Using keys that are too weak can expose your data to unauthorized access.

This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection.

From Windows 10, version 1507, and Windows Server 2016 onwards, the default RSA key size is 1024 bits 2. However, this script raises the client-side minimum to 2048 bits, aligning with modern security standards. Server-side RSA key strength relies on the server certificate 2.

Since 2013, internet standards and regulatory bodies have banned 1024-bit RSA keys due to security vulnerabilities 3. These entities, including the Federal Office for Information Security (BSI) in Germany 2 and the National Institute of Standards and Technology (NIST) in the USA 4 5, now recommend the use of keys that are 2048 bits or longer. RSA key exchanges of 2048 bits or are widely accepted.

In 2012, Microsoft deprecated 1024-bit RSA keys for their applications 5 6 and will end support for them in Windows by March 2024 3.

While 2048-bit keys balances security with efficiency 7, a shift towards stronger 4096-bit RSA keys is emerging. Projects like Debian 8, Fedora 9, and CaCert.org 10 use larger keys for long-term tasks.

However, this script disrupts connections to Hyper-V virtual machines, which still require 1024-bit keys 11. It does not affect other virtual environments such as Docker, WSL, or Windows Sandbox 11.

Caution
  • The script prevents access to Hyper-V VMs.
  • Using bigger keys increases security but may not work with some old or less secure apps.
  • This can make your device slower and drain the battery faster.

This script uses Batch (batchfile) scripting language.

Use with Caution

This script is only recommended if you understand its implications. Some non-critical or features may no longer function correctly after running this script.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Enable strong secret key requirements category. This category contains scripts that enhance system security by implementing stronger encryption key lengths. Stronger keys help prevent unauthorized data access and potential leaks. These scripts aim to protect your data when sent over network (Internet), making sure your security matches up... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Enable strong RSA key requirement (breaks Hyper-V VMs).
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
:: Require "PKCS" key exchange algorithm to have at "2048" least bits keys for TLS/SSL connections
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS!ServerMinKeyBitLength"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS'; $data = '2048'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' /v 'ServerMinKeyBitLength' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS!ClientMinKeyBitLength"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS'; $data = '2048'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' /v 'ClientMinKeyBitLength' /t 'REG_DWORD' /d "^""$data"^"" /f"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
:: Restore key size requirement for "PKCS" for TLS/SSL connections
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS!ServerMinKeyBitLength"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' /v 'ServerMinKeyBitLength' /f 2>$null"
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS!ClientMinKeyBitLength"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' /v 'ClientMinKeyBitLength' /f 2>$null"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: