Storing anything of value in the cloud, regardless of encryption, is the very essence of stupidity. How many times does this fact need to be reiterated in the news before people get it.
It would be helpful if you could tell me where you got the impression that I was encouraging use on cloud-storage services. Was it in the README? the code? a post I made on my blog? I ask because I'd like to correct that doc/post/etc. so that others don't get the same impression.
P.S. Blackbox was written to safely store the occasional secret file (SSL certs, mostly) in a Puppet repo stored on an in-company source code server.
Even though I personally knew everyone with access to the repo, root access to the repo server, or access to where the backup tapes are stored... it became essential to encrypt those secrets. Honest, I don't trust the people who handle our backup tapes... one of them is me and I'm the least trustworthy person I know.
Even more importantly, now that I could open up the repo to all my coworkers, it enabled me to collaborate across the company. They could read my code, even submit pull requests, and I didn't have to worry that they had access to SSL certs.
A few years ago, my company was setting up a second office a few hours drive away. They wanted a replicated file share between the two offices. For the initial sync, they drove a NAS from the main office to the satellite. Then they had (openvpn-encrypted) rsyncs on a nightly basis.
But the ITAR directory on the NAS was never rsynced. Instead, they drove the files out there every week using a flash drive.
Seemed like a crazy policy to me, but after Heartbleed, who knows?
Sharing passwords or private keys is inherently risky, but simple necessity always prevails in the end. Acknowledging the risks, developing protocols taking it into account intelligently, is all you can do.
Storing things of value in the cloud, without inspecting and validating that the underlying tech is secure enough is the essence of stupidity.
You store your money in the bank, rather than in your closet right? And they just put that money as a bit in your computerized account on their mainframe, right? How is that any different than a properly secured 'cloud'?
I remember this story, though I forgot exactly how deep it went. I thought it was just compromising certificate authorities, or sneaking in physically to catch part of the stream that's not encrypted like they did with Google. That's irrelevant here because the only computers that would hold decrypted info in the case of Blackbox are those computers which would anyway hold it decrypted without Blackbox.
So there's still the part about compromising the encryption software. Well, GPG is not proprietary so that's a lot harder.
As far as somehow brute forcing the cyphertext, I guess that may be possible, though they don't give clear details about that here. That being the case, they still don't say anything about GPG. Perhaps the biggest argument of all is that Edward Snowden himself uses it, knowing everything he knows.
