💾 Archived View for xoc3.io › blog › 2022-12-11 captured on 2024-07-08 at 23:56:16. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
it all started when i wanted to find a cli based pgp utility that was simpler than gnupg. i've been using gnupg off and on for years and if you have tried it, you'd know too how terrible the user experience is. my search led me to trying out sequoia:
the commandline interface for sequoia is very nice, but it's not a complete pgp implementation yet. i quickly came into a current limitation with the project when i tried to manage my gnupg subkeys. my curiosity led me to reading the pgp specification and trying to understand the packet structure of private/public keys.
after a day and a half of nonsense, i started wondering if there are any good pgp replacements. specifically wondering about a more minimalistic approach to the various encryption services pgp provides. that led me to this article, which i strongly recommend reading:
a few highlights of what the article tries to convey:
i'll go through my migration journey and thoughts for the rest of this post.
one way to easily & securely transfer files is with magic-wormhole:
but magic-wormhole is a python application with lots of dependencies. if i want to install it on my system, i need 44 packages at 82 mb in total. luckily there is a go implementation that is a fraction of that size called wormhole-william:
but i actually ended up not using magic-wormhole or wormhole-william as my goto file transfer utility. i opted for a third one called croc:
based on my understanding, magic-wormhole has ~600 thousand default password possibilities, while croc has ~42 trillion default password possibilities. croc also has some extra features that magic-wormhole doesn't.
however, one issue i have with both croc and magic-wormhole is that verification from the sending end is not a default setting. which makes it slightly easier for an attacker to intercept files with either utility. so be sure to add the verification option to whichever utility you end up using:
magic-wormhole send -v wormhole-william send -v croc --ask send
i now use age for file encryption:
i really have nothing bad to say about age. it's a very minimal and well planned utility. public keys are way smaller than gnupg public keys. multiple public and private keys can be used with the encrypt/decrypt commands. it also supports password encryption, so you can easily encrypt your private key with a password if you want.
under my gnupg setup, i was using "pass" to store my passwords:
but now that i use age, i found a shell script someone wrote that is like a stripped down version of pass but for age instead of gnupg:
i actually forked that script and added multiple public key encryption to it as well as a general code cleanup and improved help text. it's not merged yet, so i'm currently using my forked version instead:
pass uses git to backup the passwords to a central location. i decided to just opt for a simple backup solution for my pa setup.
i used these commands to migrate from pass (gnupg) to my fork of pa (age):
cd ~/.password-store for f in $(fd -t f | rg '.*\.gpg