Kryptor currently recommended for file encryption and signing

The issues with OpenPGP (cryptographic message packets) and GnuPG (command line tool) can be read about in other threads and elsewhere. While OpenPGP and GnuPG are still used widely, for instance in email and to sign git commits, I see some merit in adopting cryptographic tools that are simpler and more secure and eventually deprecating OpenPGP/GnuPG for file encryption and signing.

I see Kryptor is recommended for file encryption and signing, but not other tools like age and minisign.

I see some merit in recommending a tool that does both encryption and signing, and limiting the number of listed recommendations. By using Kryptor, users don’t need to manage separate keys that are used by separate tools. Age does encryption only and minisign does signing only, thus in a way it makes sense to recommend Kryptor over age and minisign. Kryptor’s homepage makes claims about other merits over age and minisign, some of which I agree with.

That said, I wish to understand what other considerations were made when Kryptor was added as a recommendation, and if justified, have the recommendation reconsidered.

I briefly looked at Kryptor, age and minisign, and found this.

Kryptor appears to have been developed mainly by just 1 dev. 2 contributors are listed on GitHub but I didn’t easily find any commits by the other contributor (but I did find 2 pull requests by others). This suggests Kryptor is essentially developed by 1 dev, samuel-lucas6, a cybersecurity Master student. In comparison, age has 54 listed contributors, and the main dev FiloSottile is a cryptographer who maintains Go’s cryptography. Minisign has 24 listed contributors, and the main dev jedisct1 developed and maintains libsodium.

As of now, Kryptor’s latest public commit on GitHub was made January 12, 2025, 7 months ago. The latest closed issue was closed July 16, 2024, over 1 year ago. In comparison, age has recent commits, and their latest closed issue was 3 months ago and their merged pull request was 2 months ago. Minisign has recent commits, and their latest closed issue and merged pull request were 1 month ago.

• Kryptor GitHub
• age GitHub
• minisign GitHub

I didn’t find security audits for Kryptor, age or minisign. I haven’t considered the design and features of each tool in depth, inspected the code myself for quality, nor considered the character of each project’s community.

Kryptor has now not had a commit in over two years it seems. I think it might be time to look at removing it. @team

FYI: 🐛Bug: ARM64 install requires Microsoft Visual C++ Redistributable for Visual Studio 2015-2022 on Windows · Issue #95 · samuel-lucas6/Kryptor · GitHub

It’s really up to whether the community wants to remove it, but I have no issue with keeping Kryptor on the site, personally.

I am surprised we don’t recommend age (or minisign) though, I thought we did. This seems to be @dngray’s thing though, so maybe he can elaborate:

As far as I know, minisign does not do encryption (as the name suggests), so we clearly should not add it unless we are going to create a new file signing category under the advanced section.

IMO age could be added, I am not sure the reason it wasn’t added is particularly good. Not being able to encrypt entire directories is a weakness not shared by Kryptor, so I don’t think age should replace it.

Discussion from when Kryptor was added:

Yes I think adding age as a replacement would be better.

Well, I don’t think it should be a replacement, only an addition. As @dngray would often point out sometimes software is simply complete.

It seems I thought the same thing 3 years ago lol:

We should continue the age discussion in that thread for future reference, but with no pushback over there so far I think we’d be fine to add age. There’s not really support for age there either, but as noted it is a pretty widely used tool with responsible maintainers, so it doesn’t seem controversial (plus we were going to add it already at one point anyways).

The author of Kryptor was very active on PG discussions when they were still on Github. While it is surely a cool tool but PG at the time has not really considered fhe importance of a third party audit on software. I do think for the purpose of what we are dealing with here that should be something to consider making a requirement.