Did your last Yubikey just break? Perhaps you forgot an offline backup password. Maybe you're just tired of living like a spy and never using smartphones. Whatever it is, you're here, and you're finally ready to give up on PGP. That's great!
No one was sending you encrypted emails anyway, so that's easy enough. But the most widespread uses of PGP are machine-oriented, for needs like package signing and local file encryption. I recently got into this again on a thread that mentioned deprecating Go's OpenPGP package and people always ask the same question: if not PGP, then what?
The thing is, there can't be a direct modern alternative to PGP. It's a do-everything design that predates modern cryptographic engineering and hasn't worked out well. The "modern alternative" is to use a much more specific and much less configurable solution to your problem.
Here are the most common uses of PGP and their modern, focused alternatives.
Original need:Linux distributions and many other software update mechanisms use PGP signatures to prevent malicious mirrors or network attackers from altering the contents of their packages.
Modern alternative: a lightweight signing tool like OpenBSD's signify or minisign, either of which you could quickly build in Go using x/crypto/ed25519. I wrote one as a party trick last month – it's less than 200 lines of code and that includes some silly key parsing tricks.
These tools are extremely simple and robust because they only support one algorithm, lack state or any notion of a keyring, and are usually decoupled from complex messaging formats (which should be a separate concern from your signature cryptography). As a bonus they're mostly compatible with each other because the keys are all EdDSA keys. Need I even mention that EdDSA is much, much faster than RSA?
If you're a maintainer of self-serve packaging infrastructure or otherwise have more complex needs, you should take a look at TUF. It's a modern toolkit meant to resist all kinds of update-related attacks that PGP signatures simply don't address. For an idea of how it works in practice, check out the designs for Python's package infrastructure (PEP 458, PEP 480). The Notary project is a productionized and audited implementation.
Encrypting data blobs
Original need: You want to store individual pieces of data without making their contents accessible to anyone else on your system. For some reason this isn't built into operating systems yet, so programs like pass use PGP.
Modern alternative: nacl/box and nacl/secretbox. These are general-purpose replacements for encrypting any kind of data. They support public-key and secret-key encryption, respectively, and both use secure modern modes and ciphers.
Keybase made a very solid attempt to specify nacl in a storable message format with saltpack, which has a good Go implementation using the above x/crypto package. It works as a nearly drop-in replacement anywhere you were using ASCII-armored PGP data.
Sending files securely
Original need: You have files that you want to send to another person, but you don't want the data to be visible in transit or stored in the cloud. For this, folks often attach an encrypted ZIP file to an email.
Modern alternative: magic-wormhole. If you need to send files to another person securely, use this. It's based on a modern cryptographic technique called PAKE, which basically means it keeps your data safe in transit while giving an attacker no chance to crack the password. It generates those passwords for you, and they're short, one-time-use combinations of three English words – all your recipient needs to do is enter the words. There's nothing to remember long-term and no account information to lose in a data breach. Wormhole also works through firewalls and optionally supports Tor.
We live in the future. There are better options than emailing encrypted files around.
Something else?
What's your lingering use case for PGP? Hit me up on Twitter or send me an email and let's talk about getting you off PGP for good.
Modern alternative: nacl/box and nacl/secretbox. These are general-purpose replacements for encrypting any kind of data. They support public-key and secret-key encryption, respectively, and both use secure modern modes and ciphers.
Virtru End-to-End Encryption –Better than Pretty Good
Virtru overcomes inherent weaknesses in PGP and S/MIME and represents the next generation of end-to-end encryption. “Virtru offers encryption as secure as PGP but makes it easy enough that our end users, customers and partners can use it regularly.”
With the advancement of cryptography, parts of PGP and OpenPGP have been criticized for being dated: The long length of PGP public keys, caused by the use of RSA and additional data other than the actual cryptographic key. Lack of forward secrecy. Use of outdated algorithms by default in several implementations.
Yes, PGP encryption is still used and is considered an industry standard for protecting sensitive information. Both commercial and free, open-source implementations of PGP are available. Commercial solutions offer technical support that may be lacking in freeware tools.
But the biggest problem with PGP is how difficult it is for people to use simply. "It's a real pain," says Green. "There's key management – you have to use it in your existing email client, and then you have to download keys, and then there's this whole third issue of making sure they're the right keys."
When you are considering which encryption to use for your sensitive information, choose whichever will suit your needs best: AES is fast and works best in closed systems and large databases. PGP should be used when sharing information across an open network, but it can be slower and works better for individual files.
PGP most often uses either RSA to encrypt its public key, or a method called Diffie-Hellman. Either way, it provides the extra layer of protection that comes from asymmetrical encryption.
Some women may develop pelvic pain in pregnancy. This is sometimes called pregnancy-related pelvic girdle pain (PGP) or symphysis pubis dysfunction (SPD). PGP is a collection of uncomfortable symptoms caused by a stiffness of your pelvic joints or the joints moving unevenly at either the back or front of your pelvis.
PGP does a mediocre job of signing things, a relatively poor job of encrypting them with passwords, and a pretty bad job of encrypting them with public keys. PGP is not an especially good way to securely transfer a file.
PGP and GPG provide secure encryption and authentication, with PGP being proprietary and GPG open-source and free. Following Phil Zimmermann's PGP, GPG emerged as an OpenPGP-compliant free version. Your preference between PGP and GPG depends on your willingness to pay for licensing and support services.
Lack of anonymity: PGP will encrypt messages that users send, but it does not anonymize them. As a result, senders and recipients of emails sent through a PGP solution can be traced. The subject line of the message is also not encrypted, so avoid including sensitive data or information.
While SMTP TLS offers transparent encryption, it only does so part of the way. PGP and S/MIME also leave gaps in their security, so those with a high-risk level are often better off combining these technologies. PGP can be difficult to use but is also the most flexible.
In order to manually do Gmail PGP encryption for your emails, you'll need to download a PGP or GPG software program to your local device. If you have Windows as your operating system, a good option is GPG4Win.
PGP and GPG provide secure encryption and authentication, with PGP being proprietary and GPG open-source and free. Following Phil Zimmermann's PGP, GPG emerged as an OpenPGP-compliant free version. Your preference between PGP and GPG depends on your willingness to pay for licensing and support services.
An ASC file is a variant of the ASCII format, which is an encryption file used by Pretty Good Privacy (PGP) for secure online communication. It includes messages and digital signatures, as well as plain text and binary information.
You can get a PGP key using a PGP program like GPG4WIN or through vendors that provide tools through the open-source solution OpenPGP, which is supported by the Internet Engineering Task Force (IETF).
Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271
Phone: +9663362133320
Job: District Sales Analyst
Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing
Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
