科技回声

11 条评论

upofadown超过 2 年前

Age is great and all but it has a huge footgun. It encourages the user to encrypt material with a public key in a way that is entirely unauthenticated. So an attacker with access to that public key can simply overwrite the file with whatever they want. If ensuring that you end up with the same stuff as you encrypted is important than that can be a big problem. Fixing this involves the use of a separate signing utility and thus introduces an entirely different set of keys for the user to manually manage.By doing the key management for the user, GPG actually ends up being a lot more usable...

评论 #32983995 未加载

评论 #32983455 未加载

评论 #32982993 未加载

评论 #32988042 未加载

评论 #32982175 未加载

评论 #32985753 未加载

评论 #32982691 未加载

评论 #32984522 未加载

vaylian超过 2 年前

The thing that age is missing: A description of how to use it properly. I've looked into age several times and it is supposed to be a GnuPG killer for file encryption. But there is afaik no document or talk that describes how to use age in practice. Afaik there is absolutely no information about how to manage your public keys and what the best practices are for rotating and distributing them. Part of me really wants to use age, but when it comes to crypto, you need to know how use it properly.

评论 #32999433 未加载

bertman超过 2 年前

I'm eagerly awaiting the Kotlin implementation of age[0] because once that's finished, Android Password Store[1] will be able to offer age encryption next to/ instead of gpg.0: <a href="https://github.com/android-password-store/kage" rel="nofollow">https://github.com/android-password-store/kage</a>1: <a href="https://github.com/android-password-store/Android-Password-Store/issues/2061" rel="nofollow">https://github.com/android-password-store/Android-Password-S...</a>

评论 #32982258 未加载

评论 #32982219 未加载

ianpurton超过 2 年前

There's also a rust version. <a href="https://github.com/str4d/rage" rel="nofollow">https://github.com/str4d/rage</a>

twp超过 2 年前

The availability of age as a Go library means that it's easy to embed age into other tools. For example chezmoi supports age encryption for your sensitive dotfiles, and you don't even have to install age on your machine to use it.<a href="https://www.chezmoi.io/user-guide/encryption/age/" rel="nofollow">https://www.chezmoi.io/user-guide/encryption/age/</a><a href="https://www.chezmoi.io/user-guide/encryption/" rel="nofollow">https://www.chezmoi.io/user-guide/encryption/</a>

eterps超过 2 年前

The (CLI) user experience looks very clear and straightforward.Especially having these small explicit public keys.

aborsy超过 2 年前

Is there a backup tool yet for age?Also, I would like to point out a major foot-gun with Age. I was using age in the symmetric mode, glad that I am getting a cleanly written ChaCha20-Poly1305 symmetric cipher. This is supposed to be 256-bits symmetric encryption, and quantum-resistance.But if I recall, it seems that the age key file itself is 128 bits! Thus in the symmetric mode, Age provides only 128 bits of security. This is substandard, and in particular secure only until 2035 or so.Worse, Age creates by default a 10-word password from BIP-39 list. That’s actually 110 bits, in default configuration. Again, a good deal weakening the security.I reverted back to GPG AES-256. AES-GCM appears in 2.3.Correct me if I’m wrong.————-Update: Here are the links for the security level of 128 bits in Age:<a href="https://github.com/FiloSottile/age/discussions/423" rel="nofollow">https://github.com/FiloSottile/age/discussions/423</a><a href="https://github.com/C2SP/C2SP/blob/main/age.md" rel="nofollow">https://github.com/C2SP/C2SP/blob/main/age.md</a>

评论 #32987622 未加载

评论 #32987328 未加载

codegeek超过 2 年前

The author "filosottile" has built some amazing tools. My favorite is the "mkcert" tool. What a breeze to setup https/ssl on localhost within minutes. I guess I should go through his repo. in detail.

napkid超过 2 年前

I use this with Mozilla SOPS to crypt sensible yaml configuration values stored in a Git repo. Works great, fast, and keys and payloads are short.

nodesocket超过 2 年前

How do this compare to @cperciva scrypt[1]? I've used scrypt before and love how simple it is.<pre><code> scrypt enc test.txt > test.scrypt Please enter passphrase: Please confirm passphrase: </code></pre> [1] <a href="https://www.tarsnap.com/scrypt.html" rel="nofollow">https://www.tarsnap.com/scrypt.html</a>

评论 #32985499 未加载

chasil超过 2 年前

OpenSSL has implemented all of this functionality for many, many years.<a href="https://www.linuxjournal.com/content/flat-file-encryption-openssl-and-gpg" rel="nofollow">https://www.linuxjournal.com/content/flat-file-encryption-op...</a>

评论 #32984843 未加载

11 条评论

upofadown超过 2 年前

评论 #32983995 未加载

评论 #32983455 未加载

评论 #32982993 未加载

评论 #32988042 未加载

评论 #32982175 未加载

评论 #32985753 未加载

评论 #32982691 未加载

评论 #32984522 未加载

vaylian超过 2 年前

评论 #32999433 未加载

bertman超过 2 年前

评论 #32982258 未加载

评论 #32982219 未加载

ianpurton超过 2 年前

There's also a rust version. <a href="https://github.com/str4d/rage" rel="nofollow">https://github.com/str4d/rage</a>

twp超过 2 年前

eterps超过 2 年前

The (CLI) user experience looks very clear and straightforward.Especially having these small explicit public keys.

aborsy超过 2 年前

评论 #32987622 未加载

评论 #32987328 未加载

codegeek超过 2 年前

The author "filosottile" has built some amazing tools. My favorite is the "mkcert" tool. What a breeze to setup https/ssl on localhost within minutes. I guess I should go through his repo. in detail.

napkid超过 2 年前

I use this with Mozilla SOPS to crypt sensible yaml configuration values stored in a Git repo. Works great, fast, and keys and payloads are short.

nodesocket超过 2 年前

评论 #32985499 未加载

chasil超过 2 年前

评论 #32984843 未加载

Age – a simple, modern and secure file encryption tool, format, and Go library

11 条评论

Age – a simple, modern and secure file encryption tool, format, and Go library

11 条评论