Age β a simple, modern and secure file encryption tool, format, and Go library
Age is great and all but it has a huge footgun. It encourages the user to encrypt material with a public key in a way that is entirely unauthenticated. So an attacker with access to that public key can simply overwrite the file with whatever they want. If ensuring that you end up with the same stuff as you encrypted is important than that can be a big problem. Fixing this involves the use of a separate signing utility and thus introduces an entirely different set of keys for the user to manually manage.
By doing the key management for the user, GPG actually ends up being a lot more usable...
The thing that age is missing: A description of how to use it properly. I've looked into age several times and it is supposed to be a GnuPG killer for file encryption. But there is afaik no document or talk that describes how to use age in practice. Afaik there is absolutely no information about how to manage your public keys and what the best practices are for rotating and distributing them. Part of me really wants to use age, but when it comes to crypto, you need to know how use it properly.
I'm eagerly awaiting the Kotlin implementation of age[0] because once that's finished, Android Password Store[1] will be able to offer age encryption next to/ instead of gpg.
0: https://github.com/android-password-store/kage
1: https://github.com/android-password-store/Android-Password-S...
There's also a rust version. https://github.com/str4d/rage
The availability of age as a Go library means that it's easy to embed age into other tools. For example chezmoi supports age encryption for your sensitive dotfiles, and you don't even have to install age on your machine to use it.
The (CLI) user experience looks very clear and straightforward.
Especially having these small explicit public keys.
Is there a backup tool yet for age?
Also, I would like to point out a major foot-gun with Age. I was using age in the symmetric mode, glad that I am getting a cleanly written ChaCha20-Poly1305 symmetric cipher. This is supposed to be 256-bits symmetric encryption, and quantum-resistance.
But if I recall, it seems that the age key file itself is 128 bits! Thus in the symmetric mode, Age provides only 128 bits of security. This is substandard, and in particular secure only until 2035 or so.
Worse, Age creates by default a 10-word password from BIP-39 list. Thatβs actually 110 bits, in default configuration. Again, a good deal weakening the security.
I reverted back to GPG AES-256. AES-GCM appears in 2.3.
Correct me if Iβm wrong.
ββββ-
Update: Here are the links for the security level of 128 bits in Age:
The author "filosottile" has built some amazing tools. My favorite is the "mkcert" tool. What a breeze to setup https/ssl on localhost within minutes. I guess I should go through his repo. in detail.
I use this with Mozilla SOPS to crypt sensible yaml configuration values stored in a Git repo. Works great, fast, and keys and payloads are short.
How do this compare to @cperciva scrypt[1]? I've used scrypt before and love how simple it is.
[1] https://www.tarsnap.com/scrypt.htmlscrypt enc test.txt > test.scrypt Please enter passphrase: Please confirm passphrase:OpenSSL has implemented all of this functionality for many, many years.
https://www.linuxjournal.com/content/flat-file-encryption-op...