Our great sponsors
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
I really like the general ideas behind age, like being composable in shell commands and having a more narrow focus than something like GPG.
My biggest frustration with GPG is that it needs to have keys imported to do anything useful. I greatly prefer just storing the keys in the file system!
Related to that last point, Gentoo uses GPG to verify distfiles sometimes and it ends up creating a lot of "dummy" keyrings and throwing them away to circumvent this limitation of GPG! (I haven't dug too deeply into the code so it's possible that I am wrong here, but this is my current understanding)
My two primary issues with age that have prevented me from using it are that it doesn't use authenticated encryption (see links below) and that there is no way to encrypt/decrypt and make signatures with a single key pair (at least afaik). If I am encrypting files I want to be able to trust the contents of it fully, otherwise it's really not that useful for me personally!
https://github.com/FiloSottile/age/issues/59
https://neilmadden.blog/2019/12/30/a-few-comments-on-age/
> A good feature of PIV applet of Yubikey 5 is that it stores 24 keys.
Note that not all 24 of those keys are suitable for age usage. The 4 main keys have specific usage definitions in the PIV specification that mean hardware tokens alter how those key slots behave. Only one of them (the KeyManagement slot) has a definition that allows encryption, and even that I was somewhat suspicious of overlapping with, as I couldn't predict how those existing keys were being used, and didn't want to support every possible key type that might be in that slot (which users likely wouldn't be able to alter).
age-plugin-yubikey avoids this complexity by only interacting with the 20 "retired" slots, which have no constraining definitions. (I am considering adding restricted support for the KeyManagement slot specifically for CAC card users who aren't allowed to add new keys to their cards [0], but this would be behind a default-off feature flag to keep the primary UX simple.)
[0] https://github.com/str4d/age-plugin-yubikey/issues/62