I've long been a PGP advocate. I love the concept of a decentralized network of secure identities, a web of trust, and using that to sign data and encrypt to users. I like that I can use it to sign git commits to avoid spoofing. But this isn't a post about the joys of PGP. This is a sad story about why I no longer believe in PGP and am moving on.
Disclaimer: this is from the perspective of a user with average security/privacy needs. I am not a cryptography expert. Do your own research.
First, the formalities. I hereby revoke my current personal PGP key. Reason: will no longer be used. Below is the revocation certificate (this has also been uploaded to multiple keyservers):
-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: This is a revocation certificate iJsEIBYIAEMWIQQzahRyYvIQiH5muqHeSYNBuGkdjQUCXkyILyUdA3NvIGxvbmcg YW5kIHRoYW5rcyBmb3IgYWxsIHRoZSBmaXNoAAoJEN5Jg0G4aR2NvFIA/R9MIo9C 5COtHqqIYIlrpCt9GYoG2vO6d1IJjNSHc5HYAP9lxLWl4d+BXz3HzTYXsHJR3CfC DlMYzL1iWdtVoRZ0CA== =s6B7 -----END PGP PUBLIC KEY BLOCK-----
I have no reason to suspect that this has been compromised. It is for other reasons that I no longer plan to use it. Please do not encrypt anything to this key in future.
I don't use it
This one is the hardest to take. In all the years I've used PGP keys, I can count on one hand how many times I've used it for an actual email conversation. I have also hardly used it to encrypt files to people. I don't think I've ever been able to use its web of trust features. Though I sign emails and commits, it's a passive thing that is only useful if others care about it.
No one else cares
PGP users are a niche market. Neither places I have worked, open source I contribute to, nor many people I interact with care whether I sign commits or even if I have a key. If they don't use PGP themselves, then they can't verify the signatures anyway. Some do use PGP, but never request signatures or encryption. Nobody is interested in building a PGP web of trust.
When I do use it, it's broken
I sign every email and every git commit. Someone squashes commits? Signatures lost. Email goes through a mailing list? Signatures corrupted. Rotate keys? Signatures no longer valid. Don't trip check settings before replying to an email? Email sent in plain text by accident.
It's too hard.
Just that. GPG has countless command line options. Creating keys has too much configuration. Managing keys is too hard. The web is filled with tutorials on how to do basic things, because there are a million ways to do each basic thing, all ways are valid, none are perfect. Recommendations in old tutorials no longer reflect the current state of cryptography recommendations. Just thinking about how to manage keys and key rotatation keeps me up at night. Will I lose access to old encrypted content when I rotate keys? Will old signatures still be valid? For how long? Do I follow tutorial X and keep my master key in a faraday cage and only ever decrypt it on a disposable airgapped computer? Or tutorial Y which says YOLO it because the passphrase is strong enough? Did that email actually send encrypted or not??
Nope. Just stop.
Let it be known that I'm not just giving up! I still care about security and privacy just as much as always. So what will I use instead of PGP?
Web of trust
This is something that PGP promised, but has failed at because it never gained a large enough userbase. I don't think there exists true alternative to the original vision.
An ad-hoc web of trust already exists though. I personally find it useful, and it has protected me from scam attempts. This is to simply have multiple established communication lines. We complain about so many communication apps, but this is a strength here. For example, email + sms, or twitter + discord + irc. Whatever, as long as you know you have multiple methods of contacting someone so you can double check if you suddenly get a dodgy email from them asking for money. No, it's not as secure as PGP can be, but my use case at least isn't about protecting against state actors, but from the event of an email spoofing phish or compromised social media account.
Signatures and encryption
If you ever doubt an email or commit you receive from me, by all means contact me by something other than email and ask me to confirm it. I really don't think anyone will miss signatures on git commits or emails though...
For secure communication, I'll either use Matrix, Keybase, Signal, or Telegram, all of which support e2e encryption of some form. Matrix is awesome and I hope it starts getting more use; decentralized, federated e2e encryption ftw!
For other arbitrary encryption and signatures, I'm leaning towards the more modern, focused tools, like age and signify. I don't yet know much about them, but enough to realize that this is where the future is heading: small, well implemented, focused tools (ie. "do one thing well"). This is where I'll be investigating in the near future.
Sending an arbitrary encrypted file to someone will likely end up involving obtaining a once-off public key from the recipient, and encrypting to that. It still requires having a previously trusted communication line to exchange public keys, but for many use cases, this is how PGP keys would be exchanged anyway; not many PGP key users have a large web of trust attached to their key.
So basically, if you wish to securely send something to me, please contact me via a method you trust, establish that you're really talking to me, and ask me to generate and send you a public key of some sort you can encrypt to.
PGP is not all bad. It was built to solve real problems, and still has legitimate use cases. It's just unfortunate that a combination of factors has resulted in a system that is overengineered and underused. Perhaps it's time we moved on.