Nobody should be using GnuPG casually; if you're still using it in 2021, you should have a really clear reason for doing so. You're virtually always better off using any other well-known tool. The reasons you've provided in the past for defaulting to GnuPG --- such as its avoidance of authenticated encryption being a good data recovery mechanism --- have, to put it gently, not seemed especially informed by cryptographic best practices. It seems like more of a social cause for you than an engineering decisions. Which is fine as far as it goes, but it'd be better if you were clearer about that.
I use it indirectly with pass (passwordstore.org), which is one of the few security-related pieces of software I like. Do you have an opinion on that? I've never heard of age before, but it looks like a pass-like interface to it could be ejected in a few hours if one were so inclined.
Is the antipathy towards GPG based on it being too easy to misuse/misapply, or is it because it's broken when used properly?
I've heard nothing but good things about pass. There's also a pass that uses age now, which is I guess what I'd use if I was in the market for something like it. There's a point at which you're asking so little from your cryptosystem --- as is the case with local-only CLI password managers --- that it doesn't much matter that you're using PGP. I don't, like, recoil from .pgp.asc files! The place you really get in trouble with PGP is when you try to use it on email.
>The reasons you've provided in the past for defaulting to GnuPG --- such as its avoidance of authenticated encryption being a good data recovery mechanism --- have, to put it gently, not seemed especially informed by cryptographic best practices.
That greatly misrepresents my position. Generally I prefer that things follow some sort of open standard. For offline capable, stateless encryption that leaves the OpenPGP standard. I have spent some time looking at it and judge it to be completely OK and worthy of use. I was even inspired to write a series of articles about it in an attempt to counteract the misinformation that I have seen:
