No GPG

Couple of days ago, I learnt about GPG for general-purpose, and more specifically email, encryption. Unsurprisingly, I got excited to try it out for myself.

However, after I spent an afternoon digging more into it, I learnt that, while a powerful tool, there are valid criticisms against using it nowadays. Here is what I understood:

• GPG is a monolith that tries to do a lot.
  • That makes it cumbersome to use. In today’s world, it’s probably better to use more specific tools for the use case at hand.
  • Given it has so many options, getting them right is error prone.
• GPG relies on long-term keys which are a bad idea from a security perspective nowadays. (This is also something I’ve learnt from my experience in Amazon.)
  • Burdensome to keep them safe.
  • How you securely transfer them across machines is another problem.
  • Ephemeral keys that are, by design, rotated often are obviously more secure and easier to use.
• No forward secrecy. Again, bad.
• Very few people use GPG in the real world. (I don’t even use email all that much today. It only functions as a sink for my online orders etc. Who’s going to send me GPG-encrypted email?!)

Interesting resources:

• https://blog.filippo.io/giving-up-on-long-term-pgp/
  • https://github.com/FiloSottile/age - an interesting tool that uses explicit keys for file encryption.
• https://nullprogram.com/blog/2017/03/12/
• https://moxie.org/2015/02/24/gpg-and-me.html
• https://blog.gtank.cc/modern-alternatives-to-pgp/
• https://oyd.org.tr/en/articles/the-defense-of-gnupg/ - the other side of the argument.
• https://www.mailvelope.com/en - an open-source tool that tries to simplify GPG usage in emails.