Should Kryptor still be recommended on the site?

The issues with OpenPGP (cryptographic message packets) and GnuPG (command line tool) can be read about in other threads and elsewhere. While OpenPGP and GnuPG are still used widely, for instance in email and to sign git commits, I see some merit in adopting cryptographic tools that are simpler and more secure and eventually deprecating OpenPGP/GnuPG for file encryption and signing.

I see Kryptor is recommended for file encryption and signing, but not other tools like age and minisign.

I see some merit in recommending a tool that does both encryption and signing, and limiting the number of listed recommendations. By using Kryptor, users don’t need to manage separate keys that are used by separate tools. Age does encryption only and minisign does signing only, thus in a way it makes sense to recommend Kryptor over age and minisign. Kryptor’s homepage makes claims about other merits over age and minisign, some of which I agree with.

That said, I wish to understand what other considerations were made when Kryptor was added as a recommendation, and if justified, have the recommendation reconsidered.

I briefly looked at Kryptor, age and minisign, and found this.

Kryptor appears to have been developed mainly by just 1 dev. 2 contributors are listed on GitHub but I didn’t easily find any commits by the other contributor (but I did find 2 pull requests by others). This suggests Kryptor is essentially developed by 1 dev, samuel-lucas6, a cybersecurity Master student. In comparison, age has 54 listed contributors, and the main dev FiloSottile is a cryptographer who maintains Go’s cryptography. Minisign has 24 listed contributors, and the main dev jedisct1 developed and maintains libsodium.

As of now, Kryptor’s latest public commit on GitHub was made January 12, 2025, 7 months ago. The latest closed issue was closed July 16, 2024, over 1 year ago. In comparison, age has recent commits, and their latest closed issue was 3 months ago and their merged pull request was 2 months ago. Minisign has recent commits, and their latest closed issue and merged pull request were 1 month ago.

• Kryptor GitHub
• age GitHub
• minisign GitHub

I didn’t find security audits for Kryptor, age or minisign. I haven’t considered the design and features of each tool in depth, inspected the code myself for quality, nor considered the character of each project’s community.

Kryptor has now not had a commit in over two years it seems. I think it might be time to look at removing it. @team

FYI: 🐛Bug: ARM64 install requires Microsoft Visual C++ Redistributable for Visual Studio 2015-2022 on Windows · Issue #95 · samuel-lucas6/Kryptor · GitHub

It’s really up to whether the community wants to remove it, but I have no issue with keeping Kryptor on the site, personally.

I am surprised we don’t recommend age (or minisign) though, I thought we did. This seems to be @dngray’s thing though, so maybe he can elaborate:

As far as I know, minisign does not do encryption (as the name suggests), so we clearly should not add it unless we are going to create a new file signing category under the advanced section.

IMO age could be added, I am not sure the reason it wasn’t added is particularly good. Not being able to encrypt entire directories is a weakness not shared by Kryptor, so I don’t think age should replace it.

Discussion from when Kryptor was added:

Yes I think adding age as a replacement would be better.

Well, I don’t think it should be a replacement, only an addition. As @dngray would often point out sometimes software is simply complete.

It seems I thought the same thing 3 years ago lol:

We should continue the age discussion in that thread for future reference, but with no pushback over there so far I think we’d be fine to add age. There’s not really support for age there either, but as noted it is a pretty widely used tool with responsible maintainers, so it doesn’t seem controversial (plus we were going to add it already at one point anyways).

The author of Kryptor was very active on PG discussions when they were still on Github. While it is surely a cool tool, PG at the time has not really considered fhe importance of a third party audit on software. I do think for the purpose of what we are dealing with here that should be something to consider making a requirement.

I seem to remember age didn’t do the sender authenticity which is what Kryptor was specifically designed to address, so if you’re signing the file you’d still need to use minisign as well.

In terms of focus/exposure it does a lot less than PGP does so, you can expect it to possibly reach a “feature complete” status. Given Samuel’s experience, and the fact that he is still active it may just be very well he hasn’t had to add anything to it. There are not any open issues on this tool or pull requests.

The reason is because we’d need to provide a guide to go along with it, as it’s not an all in one process whereas Kryptor is.

However on further look, Kryptor does depend on a vulnerable version of libsodium which will flag CVE analysis tools for CVE-2025-69277. While this may not effect the tool itself, perhaps a guide utilizing age and ssh key signatures is a simpler way to go about it.

See LLM reports · samuel-lucas6/Kryptor · Discussion #93 · GitHub (at least better then nothing)

Kryptor supports keyfiles, unlike age.
Kryptor encrypted files are Padded Uniform Random Blobs, minimizes metadata.
Kryptor is better documented.