Age only covers encryption. It does not cover signing, ssh, web of trust, hierarchical keys, key discovery, etc. It is in no way a replacement for a modern PGP keychain.
Ignore GnuPG which is a shit show stuck in the 90s. PGP != GPG
For a modern long lived personal PGP keychain use Keyfork on AirgapOS which gives you a secure 24 word mnemonic backup, optional split backup across redundant smartcards, and a separation of a CA key and daily driver subkeys on smartcards all done correctly so you do not have to think about it. I would suggest a Nitrokey Pro due to open source rust firmware, though Yubikeys are supported.
From there you can use your smartcard for ssh, password management, git commit signing, etc. and make your key easy to discover without impersonation using keyoxide to have all your services, domains, etc attest to your key, as well as any humans who vouch for you.
A proper PGP keychain is a long lived digital passport first, that has encryption and authentication subkeys.
Even if you ONLY care about encrypting files presumably you want to be able to decrypt them far into the future, with confidence no one else can do so.
If that is the case, you probably want:
1. a long lived keychain
2. a way to securely load private keys into smartcards such that they cannot be stolen by malware
3. a strategy to recover lost keys
4. a strategy to migrate from one keychain to another one
5. a way to notify people/software to stop encrypting data to your old key
6. a way to switch between multiple competing software implementations with a long established spec
The PGP ecosystem has you covered on all points. Age does few of these, and none of them well.
Doing things the right way takes a bit more up front thought and time, and you will thank yourself later.
That said, for the sake of compatibility, keyfork keys can be used with any pgp toolchain, as well as with signify, age, or whatever.
Abusing ssh for signing is a silly thing to do in most cases when modern PGP tooling covers this and so many other use cases with established standards.
Also, again, use keyoxide which is a modern decentralized alternative to keybase. You can vouch for yourself to bootstrap trust.
It’s not because WoT necessarily doesn’t work, but people simply don’t need to verify digital signatures. Whatever needs to be done is done internally by apps.
Dark web runs on PGP. People with no technical knowledge use it. Nobody has broken their communication. Not that this is a good use case, just saying bums can use PGP too!
The biggest use case is currently software signing. Like you would verify a master key for a project under TOFU model, once through several channels. From there, verifying software signed by keys signed ultimately by that master key is done easily and securely.
I like the idea of AirgapOS; "just turn off the network" has always felt a little dissatisfying.
That said, if you're already in the GnuPG ecosystem, https://incenp.org/notes/2015/using-an-offline-gnupg-master-... will cover you for pretty much everything here except the mnemonic backup using baseline tooling. I presume you can get a shell utility to pipe your key in and get that mnemonic version out if you'd like.
> I presume you can get a shell utility to pipe your key in and get that mnemonic version out if you'd like.
Not possible as GnuPG does not expose access to the cryptographic seed.
That said a mnemonic you generate and backup with keyfork is entirely compatible with GnuPG should you still want to use it as a client for keyfork-provisoned smartcards.
You can also use that same mnemonic to generate any other cryptographic keys you want for any purpose, including Age.
Keyfork only uses modern ECC PGP keys supported by the spec, prioritizing smartcard use, and using BIP32 KDF from a 256 bit mnemonic seed.
Nothing else comes close to the broad compatibility PGP offers. Just need to ignore legacy ciphers.
I suggest looking at the links. Latacoras take on this is IMO wildly out of date (6 years old to be fair).
PGP powers the core software supply chain security trust layer for the Linux distributions and tooling that power the whole internet and the standard does get updated.
Not having gpg-agent is a huge deal breaker for me. I feel gpg-agent doesn't get enough love. Not only can it do all the ssh-agent operations, it can also be used with gpgme-json[1] to do web authentication with your [A] key. It's truly a shame that hardly any applications leverage the powerful cryptography afforded by GPG.
What do you mean? I use GPG with SSH (or SSH with GPG) all the time, and I need gpg-agent for that. GPG's agent replaces ssh-agent and serves SSH keys derived from your GPG key.
Can you do this with Age? If not, then I am going to stick to GPG.
But I don’t think it will ever be a replacement for gpg (and might have already passed its window to replace it for file encryption). It just does file encryption. GPG does tons of other things that you will find are very useful (like around key management and signatures).
Literally the only thing I ever actually used gpg for was file encryption. I tried dong key management and signatures for a very brief period 20 years ago and gave up because no one else was doing it and it was annoying trying to do the right opsec things with no payoff.
Ever since then, as far as I can tell there has been a very small very niche group who use gpg for anything other than file encryption. So age is the obvious choice for the vast majority of us and it's adoption seems to be reflecting that.
By very small niche group, you mean every maintainer of every widely used production linux distribution and most of the core packages that form the supply train trust layer for the entire internet? Or every reasonably competent security vulnerability disclosure team? (Even Google and Apple!)
PGP is the only standardized cryptographic online identity layer we have and still very heavily used by anyone working on security critical software for signed commits, signed reviews, system administration, etc.
Honestly I find it hard to take anyone seriously who works in any engineering role where security matters that is -not- using PGP smartcards to sign and push their commits, sign code reviews, sign build reproductions of container images, encrypt their passwords, etc.
age is so clean precisely because it does only one thing.
While GPG has other use cases; the intent is that those use cases are satisfied by different tools. Eg: signify for signing.
I’m also considering moving away from GPG, but the main limitation are signed git tags (for releases). For supports GPG or SSH keys. I’m not sure that I’m a fan of signing with SSH keys, I’d rather have first-class support for signify.
Repeating a comment elsewhere on the thread so I'll keep this very brief, but it is in fact bad that PGP "does tons of other things that you will find are very useful".
> I'm now experimenting with `age`, which touts itself as "simple, modern, and secure encryption". If needed, I will use `minisign` for signatures.
I have also switched from GPG to age.
When I wanted to start signing my open-source software releases because of recent supply-chain attacks, I first thought of Minisign, too.
I tried it for binaries and even found a few third-party Git integrations (https://codeberg.org/SkyFox42/git-minisign, https://github.com/sug0/git-signify), then discovered that Git and GitHub supported signing with SSH keys (https://stackoverflow.com/questions/72844616).
GitHub supports it in the sense that it will indicate a commit or tag is signed.
I have adopted this approach: I sign tags with `git tag -s foo` and binaries with `ssh-keygen -Y sign`, and I have put the public key and usage instructions on my site (https://dbohdan.com/pubkeys).
No.
age developer Filippo Valsorda has experimented with Kyber/ML-KEM and maintains a Go library for it, https://github.com/FiloSottile/mlkem768.
The public key size is intimidating.
Readit News
Ignore GnuPG which is a shit show stuck in the 90s. PGP != GPG
For a modern long lived personal PGP keychain use Keyfork on AirgapOS which gives you a secure 24 word mnemonic backup, optional split backup across redundant smartcards, and a separation of a CA key and daily driver subkeys on smartcards all done correctly so you do not have to think about it. I would suggest a Nitrokey Pro due to open source rust firmware, though Yubikeys are supported.
From there you can use your smartcard for ssh, password management, git commit signing, etc. and make your key easy to discover without impersonation using keyoxide to have all your services, domains, etc attest to your key, as well as any humans who vouch for you.
A proper PGP keychain is a long lived digital passport first, that has encryption and authentication subkeys.
https://git.distrust.co/public/keyfork
https://git.distrust.co/public/airgap
If that is the case, you probably want:
1. a long lived keychain
2. a way to securely load private keys into smartcards such that they cannot be stolen by malware
3. a strategy to recover lost keys
4. a strategy to migrate from one keychain to another one
5. a way to notify people/software to stop encrypting data to your old key
6. a way to switch between multiple competing software implementations with a long established spec
The PGP ecosystem has you covered on all points. Age does few of these, and none of them well.
Doing things the right way takes a bit more up front thought and time, and you will thank yourself later.
That said, for the sake of compatibility, keyfork keys can be used with any pgp toolchain, as well as with signify, age, or whatever.
Also, again, use keyoxide which is a modern decentralized alternative to keybase. You can vouch for yourself to bootstrap trust.
Dark web runs on PGP. People with no technical knowledge use it. Nobody has broken their communication. Not that this is a good use case, just saying bums can use PGP too!
The biggest use case is currently software signing. Like you would verify a master key for a project under TOFU model, once through several channels. From there, verifying software signed by keys signed ultimately by that master key is done easily and securely.
That said, if you're already in the GnuPG ecosystem, https://incenp.org/notes/2015/using-an-offline-gnupg-master-... will cover you for pretty much everything here except the mnemonic backup using baseline tooling. I presume you can get a shell utility to pipe your key in and get that mnemonic version out if you'd like.
Not possible as GnuPG does not expose access to the cryptographic seed.
That said a mnemonic you generate and backup with keyfork is entirely compatible with GnuPG should you still want to use it as a client for keyfork-provisoned smartcards.
You can also use that same mnemonic to generate any other cryptographic keys you want for any purpose, including Age.
https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
Nothing else comes close to the broad compatibility PGP offers. Just need to ignore legacy ciphers.
I suggest looking at the links. Latacoras take on this is IMO wildly out of date (6 years old to be fair).
PGP powers the core software supply chain security trust layer for the Linux distributions and tooling that power the whole internet and the standard does get updated.
PGP is not going away, but it is being upgraded.
[1]: https://manpages.debian.org/trixie/gpgme-json/gpgme-json.1.e...
Can you use GPG-agent for non-resident passkey challenges?
I also have Yubikey setup, but haven't thought of this.
Deleted Comment
It can not. Doesn't work with PKCS#11 PIV. In general GPG's behavior with SmartCards is idiotic and interferes with many other applications.
It's good that people don't use GPG more often and I can just purge it from my systems.
Can you do this with Age? If not, then I am going to stick to GPG.
But I don’t think it will ever be a replacement for gpg (and might have already passed its window to replace it for file encryption). It just does file encryption. GPG does tons of other things that you will find are very useful (like around key management and signatures).
Ever since then, as far as I can tell there has been a very small very niche group who use gpg for anything other than file encryption. So age is the obvious choice for the vast majority of us and it's adoption seems to be reflecting that.
PGP is the only standardized cryptographic online identity layer we have and still very heavily used by anyone working on security critical software for signed commits, signed reviews, system administration, etc.
Honestly I find it hard to take anyone seriously who works in any engineering role where security matters that is -not- using PGP smartcards to sign and push their commits, sign code reviews, sign build reproductions of container images, encrypt their passwords, etc.
While GPG has other use cases; the intent is that those use cases are satisfied by different tools. Eg: signify for signing.
I’m also considering moving away from GPG, but the main limitation are signed git tags (for releases). For supports GPG or SSH keys. I’m not sure that I’m a fan of signing with SSH keys, I’d rather have first-class support for signify.
Deleted Comment
I have also switched from GPG to age. When I wanted to start signing my open-source software releases because of recent supply-chain attacks, I first thought of Minisign, too. I tried it for binaries and even found a few third-party Git integrations (https://codeberg.org/SkyFox42/git-minisign, https://github.com/sug0/git-signify), then discovered that Git and GitHub supported signing with SSH keys (https://stackoverflow.com/questions/72844616). GitHub supports it in the sense that it will indicate a commit or tag is signed. I have adopted this approach: I sign tags with `git tag -s foo` and binaries with `ssh-keygen -Y sign`, and I have put the public key and usage instructions on my site (https://dbohdan.com/pubkeys).
gpg-agent was valuable to me because it let me use `pass` in scripts while maintaining encryption at rest. This prevented me from switching to `passage`. After surveying my options (https://github.com/dbohdan/pago/blob/6aa312e83113498a64abd9a...), I ended up forking pash (https://github.com/dylanaraps/pash) and developing the fork into an age-based password manager with its own agent. The developer of seniorpw has a nice feature comparison of `pass`-like password managers based on age (https://gitlab.com/retirement-home/seniorpw/-/blob/f1584cf42...).
I can say I am happy with the switch. If you use GPG for encrypting files, I can recommend it.
https://x.com/FiloSottile/status/1544803635237998592 (2022-07-06):
> A Kʏʙᴇʀ768+X25519 recipient would clock in at about 1660 characters.
> Classic X25519 age recipient for scale.
> https://paste.dbohdan.com/1mhc0nc-w7ks3/recipient.png [Alt text: A terminal window. The classic recipient on the first line takes about 2/3 of a line. The PQC one takes 16 lines.]
I'd like to use something stable and supported for long term backups, so size doesn't matter. Pre-quantum is not something worth migrating to.
So break the public key crypto (e.g. X25519), and you don't need to crack the symmetric key.
Also 128 bit? That's not quantum safe either, thanks to Grover's algorithm.
It has post quantum plugins, but those are third party plugins!
"RECIPIENT can be an age public key generated by age-keygen ("age1...") or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...")."
Dead Comment