❌ Software Removal | GPG (GNU Privacy Guard)

[samuel-lucas6]

Description

GPG is extremely difficult to use and offers access to various dated cryptographic algorithms that shouldn't be touched anymore. Furthermore, as mentioned by @lynn-stephenson here, the tool doesn't fit the PrivacyTools target demographic thanks to the ridiculous number of commands that make performing basic tasks unnecessarily complicated.

Although GPG may be the standard and comes included with Linux distros, PrivacyTools should instead recommend file encryption/signing software that's newer, considerably easier to use, and secure by default with little to no cryptographic agility.

Why I am making the suggestion

• GPG is far too complicated, especially for the average user.
• GPG offers access to insecure cryptographic algorithms.
• There are easier and more secure alternatives available for file encryption (e.g. Cryptomator, Kryptor, age/rage, encpipe, and Hat.sh) and signing (e.g. Minisign, Kryptor, and Signify).

My connection with the software

I'm the developer of Kryptor, which is a simple alternative to GPG listed on the PrivacyTools website. I have also used GPG in the past on Linux but no longer use it.

• [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

[samuel-lucas6]

Based on the thumbs down already, this is going to be a controversial issue, but the facts are frankly on my side. Also please let me know if my post reads too much like self-advertising. I'm happy to tone it down. The only reason I'm mentioning Kryptor so much is because there really aren't many tools that offer file encryption and signing unfortunately.

I think the only justifiable reason for keeping GPG listed is that it's used for checking digital signatures when downloading certain software. Otherwise, from what I've read, there's pretty strong agreement from people in the industry that GPG is far from a great tool and that newer tools should take its place. The main tool being pushed right now is age, which could be recommended in place of GPG, although it's far from perfect and doesn't offer signing support.

[ph00lt0]

@samuel-lucas6 I was actually happy that you mentioned your relation. But given that GPG is essential for so many things to setup a more private/secure life. Think of backups, signing and verifying I believe it is essential.

[lrq3000]

I upvoted because I think a discussion is worthy. I am an experienced computer scientist, and yet GPG is one of the softwares I dread the most lol, I realize I avoid it whenever I can, so I only use it when necessary. All the points raised by OP are valid, there are too many unsecure options (either because the encryption is too weak or the risk is high that the user forgets how/lose the keys to decrypt). And the target demographic cannot use it, plain and simple.

However, I don't think it should be removed, but placed in Worth Mentioning. However, I have no idea what software should replace it, it would need to be a software as polyvalent or close to the range of use cases that GPG covers.

[samuel-lucas6]

@samuel-lucas6 I was actually happy that you mentioned your relation. But given that GPG is essential for so many things to setup a more private/secure life. Think of backups, signing and verifying I believe it is essential.

@ph00lt0 It was important to since I'm obviously biased. My point is that despite the popularity of GPG, it's not the best tool for the job. There are other tools that can be used, but there's no single tool that does everything that GPG does.

The argument in favour of having separate tools is that trying to do too much results in a bloated tool like GPG, which causes problems for the user and the developers. On the other hand, it can be annoying to have to deal with multiple tools, especially when the functionality is somewhat related. What's probably needed is something in-between the two extremes.

I upvoted because I think a discussion is worthy. I am an experienced computer scientist, and yet GPG is one of the softwares I dread the most lol, I realize I avoid it whenever I can, so I only use it when necessary. All the points raised by OP are valid, there are too many unsecure options (either because the encryption is too weak or the risk is high that the user forgets how/lose the keys to decrypt). And the target demographic cannot use it, plain and simple.

However, I don't think it should be removed, but placed in Worth Mentioning. However, I have no idea what software should replace it, it would need to be a software as polyvalent or close to GPG use cases.

@lrq3000 I'm glad you agree with my main points. Perhaps putting it in the Worth Mentioning section would be the best of both worlds.

When it comes to a proper replacement, nothing comes close to GPG in terms of the amount of functionality. One of the biggest problems with age is that Filippo has classed signing as out of scope because he views it as a 'trust and key distribution problem' according to the documentation. I think he's missed the mark, but I doubt he'll change his mind.

There are also various other issues like the lack of private key encryption, no authenticated public key encryption, the limited documentation, and having a separate program for generating keys. However, it's become the most popular 'alternative' to GPG, the fact that you can encrypt a file for lots of recipients is a great feature, and plugins are being worked on that will add more features like FIDO2 support. It's preferable to GPG in many ways but likely won't ever fully replace it.

[lrq3000]

And if we consider 2 softwares to replace GPG, are there any candidates that when combined could cover most of the use cases (I understand that they can't cover all features, but at least 80% of the use cases, the most common use cases, should be covered IMHO).

[lrq3000]

Also which alternatives offer a GUI? Although it's not mandatory, GPG offers multiple GUI, so any alternative must offer a GUI IMHO, so we can filter upstream using this criterion.

[samuel-lucas6]

And if we consider 2 softwares to replace GPG, are there any candidates that when combined could cover most of the use cases (I understand that they can't cover all features, but at least 80% of the use cases, the most common use cases, should be covered IMHO).

Most people would say age and Minisign. I'm a lot happier recommending Minisign than age because my only real criticism is that the file formats are a bit odd and that scrypt is being used as a stream cipher. The other problem is that until everybody starts using the tool, it has limited usefulness since everybody else is still using GPG.

Also which alternatives offer a GUI? Although it's not mandatory, GPG offers multiple GUI, so any alternative must offer a GUI IMHO, so we can filter upstream using this criterion.

Cryptomator, Hat.sh, and Picocrypt are the ones that come to mind, but they only offer encryption. It's a lot more difficult to develop a cross-platform program with a GUI, and it's also tricky to design a suitable layout when it comes to features like signing and multiple methods of encryption (e.g. a password or keys).

[Dastardly-Entrench]

But there's kleopatra and YouTube tutorials for learning gpg. It takes one hour at the most to learn the basics.

[lrq3000]

Yes indeed that's an alternative I intended to suggest, to link to easy to use GUIs for GPG on PTIO instead of the list of command-line binaries.

[samuel-lucas6]

But there's kleopatra and YouTube tutorials for learning gpg. It takes one hour at the most to learn the basics.

That sums up the problem nicely. You shouldn't need to spend that long to learn the basics, and most people aren't willing to spend an hour to learn how to use a file encryption program. There are other tools that you can learn how to use in minutes.

Yes indeed that's an alternative I intended to suggest, to link to easy to use GUIs for GPG on PTIO instead of the list of command-line binaries.

That's definitely a good idea if it doesn't get delisted.

[Type-IIx]

But there's kleopatra and YouTube tutorials for learning gpg. It takes one hour at the most to learn the basics.

That sums up the problem nicely. You shouldn't need to spend that long to learn the basics, and most people aren't willing to spend an hour to learn how to use a file encryption program. There are other tools that you can learn how to use in minutes.

Yes indeed that's an alternative I intended to suggest, to link to easy to use GUIs for GPG on PTIO instead of the list of command-line binaries.

That's definitely a good idea if it doesn't get delisted.

It's not getting delisted. GnuPG is still fundamental. The notion that your project (which is a solid concept and I encourage your continuing development), which has an initial commit 11 months ago (!) supersedes and deprecates gpg is untenable. Perhaps after some real tests, an audit or two, widespread adoption, will it be considered a replacement for gpg.