The main argument in favour of age is that it only does one thing: encrypting files, and does it 'well' in the sense there is no need to edit your gnupg config file to exclude all the crypto from the 90s that your version of gnupg might decide to default to.
This makes things significantly simpler in terms of the code for age, which reduces the possible bugs and possible misuse.
GnuPG is more versatile and tries to solve a number of (arguably, orthogonal) problems, including signing and authentication (by users and also of keys in the web of trust). This leads to more complexity, and some parts, e.g. the web of trust, can't really be described as being a success. Others, such as sign and encrypt, likely don't achieve semantic security (also the case in SMIME / CMS, and I'm not sure if this has ever been fixed) and definitely don't achieve the forward/future secrecy guarantees of say Signal. Age isn't trying to be a messenger, so it doesn't need to worry about this.
It comes down to this: if you use AES-Something with GnuPG or you use ChaCha20-Poly1305 with Age, it is unlikely ever to be meaningfully broken in our lifetimes (including if you are currently 1 day old and including by quantum computers) and everything will be fine. But age will only use ChaCha20-Poly1305, and the format is pretty simple, while GnuPG can be convinced to decrypt CAST5 encrypted messages and has a much more complex format that introduces a greater risk of binary parser vulnerabilities.
Age is written in Go (there's also Rage, written in Rust), whereas GnuPG is a big old ball of C, so if there are parser bugs, GnuPG is bad news and Go/Rust are likely hopefully sound.
I use pass, and have no desire to move away from gpg.
I think gpg still provides "pretty good" privacy, I don't see any benefit that age would afford me with pass.
(There are sore points to the OpenPGP user experience, integration with mail clients among others, along with the WoT, have in practice been not great. But these are not things you would encounter with pass.)
dang|4 years ago
https://news.ycombinator.com/newsguidelines.html
jrootabega|4 years ago
aranw|4 years ago
I'm also interested in trying to understand why use age instead of GnuPG?
zahllos|4 years ago
This makes things significantly simpler in terms of the code for age, which reduces the possible bugs and possible misuse.
GnuPG is more versatile and tries to solve a number of (arguably, orthogonal) problems, including signing and authentication (by users and also of keys in the web of trust). This leads to more complexity, and some parts, e.g. the web of trust, can't really be described as being a success. Others, such as sign and encrypt, likely don't achieve semantic security (also the case in SMIME / CMS, and I'm not sure if this has ever been fixed) and definitely don't achieve the forward/future secrecy guarantees of say Signal. Age isn't trying to be a messenger, so it doesn't need to worry about this.
It comes down to this: if you use AES-Something with GnuPG or you use ChaCha20-Poly1305 with Age, it is unlikely ever to be meaningfully broken in our lifetimes (including if you are currently 1 day old and including by quantum computers) and everything will be fine. But age will only use ChaCha20-Poly1305, and the format is pretty simple, while GnuPG can be convinced to decrypt CAST5 encrypted messages and has a much more complex format that introduces a greater risk of binary parser vulnerabilities.
Age is written in Go (there's also Rage, written in Rust), whereas GnuPG is a big old ball of C, so if there are parser bugs, GnuPG is bad news and Go/Rust are likely hopefully sound.
srer|4 years ago
I think gpg still provides "pretty good" privacy, I don't see any benefit that age would afford me with pass.
(There are sore points to the OpenPGP user experience, integration with mail clients among others, along with the WoT, have in practice been not great. But these are not things you would encounter with pass.)