Cryptography
Background
There are generally 3 use-cases for cryptography:
- Confidentiality: Keep the data secret or private.
- Integrity: Maintain trust and prevent tampering.
- Authenticity: Ensure the data comes from a trusted source.
- Non-repudiation: Prodide proof of origin and delivery, ensuring that no party can deny their actions.
Symmetric Cryptography
With symmetric-key algorithms, a common key is shared between parties.
- 🟢 Fast computations.
- 🔴 Requires key exchange beforehand.
Use-Cases
- Encryption at rest (full disk, data storage).
- Transferring large datasets.
- Secure messaging.
- Stream encryption.
Asymmetric Cryptography
With asymmetric-key algorithms, each party has their own public/private key pair.
- 🟢 No key exchange required.
- 🔴 Much slower than symmetric-key crypto.
Use-Cases
- Key exchange (e.g. TLS).
- Authentication and access control (e.g. SSH).
- Message encryption (e.g. GPG).
- Digital signatures (e.g. GPG).
Recommended Tools
General
GPG
GPG suffers from poor user experience and somewhat behind state-of-the-art algorithms for backward compatibility reasons source. For most practical purposes, GPG can be replaced by specialized tools further down the list.
GPG has long been the de facto tool for asymmetric-key cryptography. While it is widely available and feature-rich, there are now simpler modern tools focused on a single task.
The differentiating feature GPG over other tools is its identity system, allowing to associate public keys with email addresses share them via keyservers. This makes keys discoverable and integrates with some email clients or other tools. This is complemented by a "web of trust" system allowing users to sign other people's key to certify their validity.
File Encryption
For more details and other recommendations, see https://www.privacyguides.org/en/encryption
Age
age, is a command line tool for file encryption that uses a simple format.
Has its own key format, but also supports SSH keys.
Picocrypt
If you require a GUI for password-based (symmetric) file encryption, picocrypt is easy to use and has been audited.
Digital Signatures
Minisign
minisign is a dead simple tool to sign files and verify signatures.
Sigstore
sigstore tools are useful for signing OCI or packaging artifacts (cosign) and git commits (gitsign), mainly in CI.
Uses "keyless signatures", instead relying on online identities and a public log to verify signatures. Generates keys on the fly, authenticates them using an OIDC identity, and stores the actions in a public, append-only log.
Commit Signing
SSH
SSH keys can be used directly for signing. Recommended to use ed25519 keys,
not RSA.
Signing documents with ssh and an SSH key ~/.ssh/sender:
echo "Hello" | ssh-keygen -Y sign -n file -f ~/.ssh/sender > content.txt.sig
echo "Hello" | ssh-keygen -Y check-novalidate -n file -f ./sender.pub -s content.txt.sig
You can also configure git to sign git commits using your ssh key (link).
Secret Management
SOPS
sops encrypts secrets within files (yaml,
json, env, ...) with age, pgp or others. It has an efficient design,
whereby master keys (asymmetric keypairs) are used to encrypt a data key,
which is then use to symmetrically encrypt secrets.