From 62b6cc3db9006eadb9b433920cea692a8bd5ee00 Mon Sep 17 00:00:00 2001
From: Kyle Manna <kyle@kylemanna.com>
Date: Sat, 3 Sep 2016 16:24:49 -0700
Subject: [PATCH] docs: paranoid: Describe how to do 4096 RSA keys

* For the paranoid of course. :)
* Someday elliptic curve?
* Closes #154
---
 docs/paranoid.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/paranoid.md b/docs/paranoid.md
index 974aa90..f048a70 100644
--- a/docs/paranoid.md
+++ b/docs/paranoid.md
@@ -29,4 +29,13 @@ Changing the `tls-cipher` option seems to be more complicated because some clien
     TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
     TLS Error: TLS handshake failed
 
+## EasyRSA and 4096 bit RSA Keys
+
+EasyRSA will generate 4096 bit RSA keys when the `-e EASYRSA_KEY_SIZE=4096` argument is added to `ovpn_initpki` and `easyrsa build-client-full` commands.
+
+    docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
+    docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
+
+## Additional Resources
+
 Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.