No GPG

Couple of days ago, I learnt about GPG for general-purpose, and more specifically email, encryption. Unsurprisingly, I got excited to try it out for myself.

However, after I spent an afternoon digging more into it, I learnt that, while a powerful tool, there are valid criticisms against using it nowadays. Here is what I understood:

  • GPG is a monolith that tries to do a lot.
    • That makes it cumbersome to use. In today’s world, it’s probably better to use more specific tools for the use case at hand.
    • Given it has so many options, getting them right is error prone.
  • GPG relies on long-term keys which are a bad idea from a security perspective nowadays. (This is also something I’ve learnt from my experience in Amazon.)
    • Burdensome to keep them safe.
    • How you securely transfer them across machines is another problem.
    • Ephemeral keys that are, by design, rotated often are obviously more secure and easier to use.
  • No forward secrecy. Again, bad.
  • Very few people use GPG in the real world. (I don’t even use email all that much today. It only functions as a sink for my online orders etc. Who’s going to send me GPG-encrypted email?!)

Interesting resources: