Should Kryptor still be recommended on the site?

I seem to remember age didn’t do the sender authenticity which is what Kryptor was specifically designed to address, so if you’re signing the file you’d still need to use minisign as well.

In terms of focus/exposure it does a lot less than PGP does so, you can expect it to possibly reach a “feature complete” status. Given Samuel’s experience, and the fact that he is still active it may just be very well he hasn’t had to add anything to it. There are not any open issues on this tool or pull requests.

jonah:

I am surprised we don’t recommend age (or minisign) though, I thought we did. This seems to be @dngray’s thing though, so maybe he can elaborate:

The reason is because we’d need to provide a guide to go along with it, as it’s not an all in one process whereas Kryptor is.

However on further look, Kryptor does depend on a vulnerable version of libsodium which will flag CVE analysis tools for CVE-2025-69277. While this may not effect the tool itself, perhaps a guide utilizing age and ssh key signatures is a simpler way to go about it.