Couple of days ago, I learnt about GPG for general-purpose, and more specifically email, encryption. Unsurprisingly, I got excited to try it out for myself.
However, after I spent an afternoon digging more into it, I learnt that, while a powerful tool, there are valid criticisms against using it nowadays. Here is what I understood:
- GPG is a monolith that tries to do a lot.
- That makes it cumbersome to use. In today’s world, it’s probably better to use more specific tools for the use case at hand.
- Given it has so many options, getting them right is error prone.
- GPG relies on long-term keys which are a bad idea from a security perspective nowadays. (This is also something I’ve learnt from my experience in Amazon.)
- Burdensome to keep them safe.
- How you securely transfer them across machines is another problem.
- Ephemeral keys that are, by design, rotated often are obviously more secure and easier to use.
- No forward secrecy. Again, bad.
- Very few people use GPG in the real world. (I don’t even use email all that much today. It only functions as a sink for my online orders etc. Who’s going to send me GPG-encrypted email?!)
- https://github.com/FiloSottile/age - an interesting tool that uses explicit keys for file encryption.
- https://oyd.org.tr/en/articles/the-defense-of-gnupg/ - the other side of the argument.
- https://www.mailvelope.com/en - an open-source tool that tries to simplify GPG usage in emails.