Update for 2023: this is still a thing!
It's 2019, and OpenPGP has to die already (for very many reasons I won't list, but see 1, 2 and 3). At least for most uses.
I'll try to list here some replacements categorized by usage (also see 5), because there's no one single-do-all app, and there shouldn't be!
All of this resurfaced because of a vuln exploited recently on SKS keyservers (that has NOTHING to do with OpenPGP nor GnuPG but yes, they're related to the environment) (see 4).
Note: only FOSS software listed (although some server-side implementations could be closed, where applicable).
Listed apps are in no particular order. You should analyze your threat model to know which one to prefer, but as a rule of thumb, go for an easy-to-use one than doesn't let you make a mistake and lose security.
OpenPGP no longer stands nor classifies as secure messaging, but for the sake of simplicity, let's say it does and list here replacements for it.
All ppps listed in this section are E2EE (end to end encrypted [and authenticated]) for one-on-one comms at least.
- Signal messenger
- Multiplatform, centralized, requires phone number, is therefore not anonymous, supports group E2EE.
- Matrix/Synapse
- Multiplatform, decentralized, requires user account, can be anonymized using Tor, supports group E2EE.
- OTR v4 (with Pidgin + XMPP or other protocol)
- Multiplatform, XMPP is decentralized, requires user account, can be anonymized using Tor.
- Tox
- Multiplatform, peer-to-peer, anonymization guaranteed (mandatory) (through Tor).
When in need to deliver a link or other required authentication for this apps, use secure messaging from above.
- OnionShare
- Multiplatform, peer-to-peer, anonymization guaranteed (mandatory) (through Tor).
- Private shares (must deliver link to addressee).
- Magic Wormhole
- Multiplatform, peer-to-peer, can be anonymized using Tor.
- Private shares (must deliver link to addressee).
- Riseup Share
- Web client only (in-browser encryption, NOT SO TRUSTWORTHY), centralized, no account required, can be anonymized using Tor.
- Private shares (must deliver link to addressee).
Encrypt files for yourself, or maybe others. But consider checking secure file sharing above ;)
- age
- Modern, well-thought API and use case, sane defaults.
- Multiplatform, CLI and GUI, symmetric and asymmetric encryption
- sear
- Multiplatform, CLI only, symmetric and asymmetric encryption and authentication, with signatures.
- It's quite new yet.
- Maybe you wanna stick with age for now
- minisign
- Multiplatform, CLI (I don't know of any GUI), creates small and secure signatures.
- easy-to-use, has several libs for different languages.
- signify
- Linux and Mac for sure, maybe Windows too?, CLI, creates small and secure signatures.
- Honestly, I prefer minisign.
Are you a dev looking for secure easy-to-use libs to handle crypo? Stay with libsodium. Find your preferred language binding in the docs. For PHP you might want to give Halite a try.
Do you need to handle tokens/cookies/authentication with clients? Forget JWT, go for PASETO. It's made for PHP, but other languages implementations exist.
- What’s the matter with PGP?
- Giving Up on PGP
- GPG And Me
- What's the fuzz with OpenPGP and SKS keyservers?
- Modern Alternatives to PGP
- The PGP Problem
- But what about #gnupg's role in the attack? /thread
The information here shown is under CC BY-SA 4.0. You are free to share and adapt this information as long as you keep your adaptation open too :)
2023-09-14: Keybase is f*kd; Firefox Send is dead now.