Age and Authenticated Encryption

Another signcryption scheme as described in the article is also implemented by the libsodium author as an extension:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;jedisct1&#x2F;libsodium-signcryption" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jedisct1&#x2F;libsodium-signcryption</a><p>It&#x27;s unclear from the article if this is the same implementation age uses.<p>Signcryption schemes are also a good candidate algorithm for replacing JWTs and PASETO as they suffer from no algorithm confusion, and don&#x27;t need what PASETO calls &quot;Algorithm Lucidity&quot; and serve both plaintext authentication, authenticated encryption, sender receiver verification, and shared key generation that can be used for unlimited encrypted streaming, for example with libsodium&#x27;s crypto_secretstream API.<p><a href="https:&#x2F;&#x2F;doc.libsodium.org&#x2F;secret-key_cryptography&#x2F;secretstream" rel="nofollow">https:&#x2F;&#x2F;doc.libsodium.org&#x2F;secret-key_cryptography&#x2F;secretstre...</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;paseto-standard&#x2F;paseto-spec&#x2F;blob&#x2F;master&#x2F;docs&#x2F;02-Implementation-Guide&#x2F;03-Algorithm-Lucidity.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;paseto-standard&#x2F;paseto-spec&#x2F;blob&#x2F;master&#x2F;d...</a>

The hypothetical I want to pose people is, let&#x27;s say your server is corrupted or I.pacted by ransomware. So you pull your gpg backups and hit restore. The data somehow looks correct and in line with expectations, but the signature fails to verify.<p>You can say &#x27;well I know there was tampering, or possible one bit of bitrot&#x27; but then what? Let&#x27;s say my backup was a poatgresql backup that restored correctly and had no obvious issues.<p>People often state backups mist be signed but just not sure how you would even respond. You cannot just not use the backup if all your backups are the same and you just had an incident. You could say &quot;now we don&#x27;t trust the data&quot; but again what is meaningful action here?<p>Is it really a plausible threat that an attacker wiped put production, gained access to your backup infrastructure, but instead of just wiping it in order to force you to pay a ransom they took a new backup and quietly modified it? Surely such a person would just modify production if they wanted such a game.

This is very interesting, thanks for sharing!<p>I have considered switching from GPG to age quite a lot, but I mostly use GPG for file encryption so this issue was a deal breaker for me. I did consider signing the encrypted backups with minisign, but then I needed two unrelated key pairs to safely access my backups instead of just one.

I remain unconvinced by their arguments on this, and so will keep using good old reliable `gpg -se`.

Can someone explain if sign-encrypt-sign doesn&#x27;t achieve the same objective of message authentication? It seems like it would to me.

I use Gpg heavily, no reason to change (well, unless perhaps Age provides ChaCha-20 Poly1305 with 256 bits file keys not 128, and someone creates a good backup software with it).

In response to your post, I&#x27;m very happy with gpg.

My main use case for gpg is actually signing things. Outbound unencrypted mail and gut commits e.g. .