📝 Correction | Add a warning to GnuPG

[ghost]

Description

I would suggest adding a warning to GnuPG.

Why I am making the suggestion

GnuPG symmetric key encryption is weak[1].
It is available in gpg --symmetric.

1: https://security.stackexchange.com/questions/229723/aes-256-gcm-using-gnupg

My connection with the software

I'm a GnuPG user.
I am not related to the developer.

• [✅] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

[samuel-lucas6]

I couldn't find any cryptography documentation for GnuPG from a quick search, but GnuPG doesn't use the newest algorithms. I wouldn't call the lack of AES-GCM a problem since encrypt-then-MAC is a perfectly good alternative to authenticated modes. CFB mode is also fine and AES-GCM isn't the best cipher anyway. However, if what eli says is true, then the authentication needs improvement since SHA1 is no longer recommended and MDC isn't as good as HMAC or BLAKE2/BLAKE3, etc.

[lynn-stephenson]

Unfortunately GnuPG is a hard to use tool, of which may have catastrophic consequences if used incorrectly. It is definitely does not fit our target demographic, and can be dangerous for the people who know the command line well enough to be able to use this tool.

It may be worth removing the recommendation of GnuPG entirely. There are not many options for user friendly encryption tools for files, or text, though. Which is sad. :(

Cryptomator is partially open source, but is the easiest to use, while using decent cryptographic primitives. It may have to take the spotlight. But it can in no way replace GnuPG. I do not think any tool can, as of now. Except for specific use cases, such as signing stuff, which could be replaced by minisign and signify.

[samuel-lucas6]

Unfortunately GnuPG is a hard to use tool, of which may have catastrophic consequences if used incorrectly. It is definitely does not fit our target demographic, and can be dangerous for the people who know the command line well enough to be able to use this tool.

It may be worth removing the recommendation of GnuPG entirely. There are not many options for user friendly encryption tools for files, or text, though. Which is sad. :(

Cryptomator is partially open source, but is the easiest to use, while using decent cryptographic primitives. It may have to take the spotlight. But it can in no way replace GnuPG. I do not think any tool can, as of now. Except for specific use cases, such as signing stuff, which could be replaced by minisign and signify.

That's a very valid point. I guess the only reason to recommend it is because it's still very popular and comes with Linux distros. Usability wise it's terrible. age is often cited as a replacement for GPG. However, this blog post does raise some interesting criticisms, and it doesn't do everything GPG does. age isn't beginner friendly either.

Cryptomator seems like the most polished file encryption program at the moment for the average user. It's a shame it's not suitable for encrypting individual files. I'm going to keep trying to improve Kryptor - speed and efficiency are going to be my main focus now. Minisign is good, but people don't want to move away from GPG due to it being the standard, meaning it lacks usefulness.