November 14, 2025

Keys, Drama, and Decrypts

Article URL →HN comments →

GPG and Me (2015)

10 years later, GPG still divides: love the keys, hate the pain

TLDR: The essay says GPG is outdated and too hard to use, but commenters defend it as the safest way to control your own privacy. Others admit it’s painful yet unavoidable, with new tools like Sequoia’s sq and Keybase easing the ride—critical for journalists, activists, and software trust.

A decade-old essay dunking on GPG—the old-school tool that encrypts email with personal keys—just reignited a comment war, and it’s juicy. The author calls GPG a “1990s crypto museum,” too complicated, and a “glorious experiment” that should be retired. The crowd? Split down the middle, and loud about it.

On one side, key absolutists insist GPG is the last honest way to keep messages truly yours. jmclnx thunders that nothing beats controlling your own keys, pointing at apps that later handed theirs over. On the other, fed‑up pragmatists say they’d love to ditch GPG but can’t—PGP (the broader standard) runs everything from Linux package signatures to company workflows. palata sums it up: it’s the standard, moving away is hard, despite shiny alternatives like sigstore and age.

There’s a tooling redemption arc too: kincl cheers the new Sequoia-PGP sq command-line tool for finally fixing GPG’s weird, inconsistent feel, while sleepybrett says Keybase made everyday use tolerable. And yes, the classic meme returns: the facepalm “Do I send you my private key?” confusion, quoted like a campfire horror story.

The vibe: privacy purists vs usability rebels, popcorn-worthy drama over whether GPG is a lifesaver or a relic. Everyone agrees on one thing—secure communication matters—but the fight is over how painful it has to be.

Key Points

  • The author reports growing reluctance to use GPG for casual encrypted email despite previously publishing a GPG key.
  • GPG’s design exposes complex choices (e.g., cipher selection) and is documented with a lengthy GnuPG man page (~16k words).
  • Adoption metrics cited are modest: ~50,000 keys in the “strong set” and <4 million keys published to the SKS keyserver pool over ~20 years.
  • The essay states PGP/OpenPGP reflect 1990s-era crypto, have accumulated protocol cruft, and lack forward secrecy.
  • Projects like Mailpile required ~1,400 lines of Python to interface with GnuPG, illustrating integration and reliability challenges.

Hottest takes

“there is nothing today as secure as GPG… I control the key” — jmclnx
“promise of fixing the strange and inconsistent ergonomics” — kincl
“PGP has become a de facto standard, and moving away from it is hard” — palata

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.