Nowadays, encryption is relevant as a code. Communication moves to instant messengers, people continue to encrypt electronic messages with digital certificates, but sometimes this may require additional efforts, including key exchange through a network of trust. In such circumstances, even some long-time supporters of cryptography are forced to abandon PGP . For secure messaging, it is much more convenient to use open source messengers and reliable end-to-end encryption, such as Signal (see the manual from the Electronic Frontier Foundation).

At the same time, PGP is still used in “machine” operations: for signing packages, encrypting files on a disk, etc. But here, too, PGP is gradually out of use. For example, the Go community proposes to stop supporting the OpenPGP package, because of the “ancient protocol that still causes serious vulnerabilities, ” and also because of the unresolved problem of key exchange and, most importantly, because of the outdated implementation of the protocol itself.

Why even old users refuse PGP, writes well-known information security specialist Filippo Valsord, who is a member of the Cloudflare crypto group and is known as the author of the Heartbleed vulnerability testing service :

First, the problem of low popularity of encryption, about which others talked a lot, has not disappeared. I received a maximum of two encrypted letters per year.
')
Then, the problem is inconvenience. Easily allowable critical errors. Confused server listings with years-old keys. "I can't read this letter on my phone." “Or on a laptop, I left the keys that I don’t use on another machine.”

But the real problems that I saw are much more subtle. I have never felt that my durable keys are secure. The more time passed, the less confidence was in each particular of them. YubiKey keys can be intercepted in a hotel room. Offline keys can stay in a remote drawer or safe. May announce new vulnerabilities. To USB devices can connect.

The security of long-term keys corresponds to the minimum common divisor of your life-long security actions. This is a weak link.

Worse, existing practices for handling long-term keys, such as collecting key signatures and printing public key prints on business cards, contradict other behaviors that would otherwise be considered an obvious hygienic routine: change keys often, have different keys on different devices , apply compartmentalization (different thinking profiles in different areas, for example, at work and at home - comment. per.). Existing practices for handling long-term keys actually expand the attack vector, because they are pushing to make backup copies of keys.

This is quite a capacious explanation. But the question arises: if not PGP, then what to use? It is clear with e-mail, it can be replaced with instant messengers with reliable end-to-end encryption. But what to use to sign packages and software updates and file encryption? Fortunately, there are also modern alternatives .

Package signatures

Linux distributions and many software update systems use PGP signatures to ensure the authenticity of the files.

There are simple alternatives for signing packages, for example, signify (sign and verify) from OpenBSD and minisign . These are extremely simple utilities, but thanks to that they are extremely reliable. Both work with the only Ed25519 (ErDSA) algorithm: this is a digital signature scheme using a variant of the Schnorr scheme on the Edwards elliptic curve. It is designed for maximum speed and works much faster than RSA. Since both utilities are based on the same algorithm, their digital signatures are compatible with each other, that is, signify can verify signatures generated by minisign, and vice versa.

These are the most minimalistic alternatives, without the slightest additional functionality. If you manage a serious infrastructure with the distribution of packages and you need a more functional version, then you can pay attention to The Update Framework (TUF): a flexible framework that adapts to any mechanism of software updates.



Developers write that TUF is used in production by companies such as Cloudflare, Docker, DigitalOcean, Flynn, IBM, Microsoft, LEAP, Kolide and VMware, and the TUF variant called Uptane is widely used for updating car software over the network.

Implementing TUF for Python package infrastructure: PEP 458 , PEP 480 . The Notary project is based on TUF with a ready-to-use and proven client-server implementation.

File Encryption

Modern alternatives nacl / box and nacl / secretbox are universal programs for encrypting any data. Support symmetric and asymmetric encryption, modern ciphers and protocols.

Keybase service is suitable for encrypting messages in chat rooms, emails, files, or any other data. Keybase's main site is a public key directory that maps social network profiles to encryption keys. Keybase also offers encrypted chat (Keybase Chat), cloud file storage (Keybase or KBFS file system) and Git repositories.


KBFS file system mounted Keybase

In general, it is a fully functional alternative to PGP for data encryption.

Transferring encrypted files

In the past century, it was decided to encrypt a file, protect it with a password, and send it as an attachment via email. This option is still possible today, but there are more modern alternatives. For example, recently Firefox Send came out of beta to exchange encrypted files. Files are encrypted on the sender's computer, and decrypted on the recipient's computer (JS in the browser). The service generates a link to a file with a limit on the lifetime or the number of downloads.



If you do not trust JS, then you can encrypt files, for example, using the magic-wormhole program. The program is installed on the sender's and recipient's computers, uses modern cryptographic technology PAKE (password-authenticated key agreement) and generates passwords from several words, breaks through firewalls and supports Tor.



We live in the 21st century. There are much better options than sending encrypted files by mail.



Certificates of the signature of documents of Microsoft Office, Adobe PDF, LibreOffice, etc.

GlobalSign is a great opportunity to implement trusted digital signatures . From desktop, server to cloud implementation options. Read more