📝 Correction | Add a warning to GnuPG #2127
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#2127
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
I would suggest adding a warning to GnuPG.
Why I am making the suggestion
GnuPG symmetric key encryption is weak[1].
It is available in gpg --symmetric.
1: https://security.stackexchange.com/questions/229723/aes-256-gcm-using-gnupg
My connection with the software
I'm a GnuPG user.
I am not related to the developer.
I couldn't find any cryptography documentation for GnuPG from a quick search, but GnuPG doesn't use the newest algorithms. I wouldn't call the lack of AES-GCM a problem since encrypt-then-MAC is a perfectly good alternative to authenticated modes. CFB mode is also fine and AES-GCM isn't the best cipher anyway. However, if what eli says is true, then the authentication needs improvement since SHA1 is no longer recommended and MDC isn't as good as HMAC or BLAKE2/BLAKE3, etc.
Unfortunately GnuPG is a hard to use tool, of which may have catastrophic consequences if used incorrectly. It is definitely does not fit our target demographic, and can be dangerous for the people who know the command line well enough to be able to use this tool.
It may be worth removing the recommendation of GnuPG entirely. There are not many options for user friendly encryption tools for files, or text, though. Which is sad. :(
Cryptomator is partially open source, but is the easiest to use, while using decent cryptographic primitives. It may have to take the spotlight. But it can in no way replace GnuPG. I do not think any tool can, as of now. Except for specific use cases, such as signing stuff, which could be replaced by minisign and signify.
That's a very valid point. I guess the only reason to recommend it is because it's still very popular and comes with Linux distros. Usability wise it's terrible. age is often cited as a replacement for GPG. However, this blog post does raise some interesting criticisms, and it doesn't do everything GPG does. age isn't beginner friendly either.
Cryptomator seems like the most polished file encryption program at the moment for the average user. It's a shame it's not suitable for encrypting individual files. I'm going to keep trying to improve Kryptor - speed and efficiency are going to be my main focus now. Minisign is good, but people don't want to move away from GPG due to it being the standard, meaning it lacks usefulness.