The issues with OpenPGP (cryptographic message packets) and GnuPG (command line tool) can be read about in other threads and elsewhere. While OpenPGP and GnuPG are still used widely, for instance in email and to sign git commits, I see some merit in adopting cryptographic tools that are simpler and more secure and eventually deprecating OpenPGP/GnuPG for file encryption and signing.
I see Kryptor is recommended for file encryption and signing, but not other tools like age and minisign.
I see some merit in recommending a tool that does both encryption and signing, and limiting the number of listed recommendations. By using Kryptor, users don’t need to manage separate keys that are used by separate tools. Age does encryption only and minisign does signing only, thus in a way it makes sense to recommend Kryptor over age and minisign. Kryptor’s homepage makes claims about other merits over age and minisign, some of which I agree with.
That said, I wish to understand what other considerations were made when Kryptor was added as a recommendation, and if justified, have the recommendation reconsidered.
I briefly looked at Kryptor, age and minisign, and found this.
Kryptor appears to have been developed mainly by just 1 dev. 2 contributors are listed on GitHub but I didn’t easily find any commits by the other contributor (but I did find 2 pull requests by others). This suggests Kryptor is essentially developed by 1 dev, samuel-lucas6, a cybersecurity Master student. In comparison, age has 54 listed contributors, and the main dev FiloSottile is a cryptographer who maintains Go’s cryptography. Minisign has 24 listed contributors, and the main dev jedisct1 developed and maintains libsodium.
As of now, Kryptor’s latest public commit on GitHub was made January 12, 2025, 7 months ago. The latest closed issue was closed July 16, 2024, over 1 year ago. In comparison, age has recent commits, and their latest closed issue was 3 months ago and their merged pull request was 2 months ago. Minisign has recent commits, and their latest closed issue and merged pull request were 1 month ago.
I didn’t find security audits for Kryptor, age or minisign. I haven’t considered the design and features of each tool in depth, inspected the code myself for quality, nor considered the character of each project’s community.