Comment

Comment on Finally implemented PGP in Jotty <3

I appreciate you taking the time to implement this and answering some questions! I have a follow up question- What’s the benefit of using asymmetric encryption here? You’re not signing the message ( you probably should imo ) and you don’t appear to support sharing encrypted notes ( i.e a user provides one or more additional public keys that a note is encrypted for ). You’re basically doing symmetric encryption with the pain of key management

It’d be simpler ( from a user and code perspective )to use symmetric encryption ( something like aes-256-gcm or ChaCha20-Poly1305 for example ) and use key wrapping to avoid encrypting user data directly and you’d have stronger crypto as a result

You’re right that PGP is a valid encryption method but it’s not very popular in the modern day because it’s very hard to get right. Latacora has a great post on the PGP Problemand the Soatok blogs that u/litchralee linked are well worth a read too

source

Sort:hotnew top

fccview@lemmy.world ⁨2⁩ ⁨days⁩ ago
This is all actually very good feedback and a lot to take in and think about, I have no problems in admitting that something can be done in a better way and go back to the drawing board, I’ll admit, I don’t have much experience with neither of the methods you suggested, but a quick Google showed me a world of learning, so I have a lot of reading to do ♥️

P.s. I did read everything that was linked by u/litchralee btw and it was a very good read indeed

Now, onto the why I went for asymmetric encryption is due to the nature of the notes being files on a system rather than stored in a database, my thinking process being "I can use whatever public key I need for whatever note and decrypt them using the right private key at a later time.

Regarding the sharing, my thinking was “you give me a public key, I use it to encrypt the note, share it with you - privately or publicly - and you can use your private key to decrypt it”. Which is why there’s always an option to encrypt with a different public key than the one stored for yourself, I was imagining it just like encrypted emails work frankly. I may have gone a bit too much for overkill lol

I’ll see to implement additional encryption methods, if anything I’m all for choice and letting people decide what to use. There’s also the very selfish answer to your question btw being that… I like PGP and I made jotty mainly for myself hahahaa

source
fccview@lemmy.world ⁨1⁩ ⁨day⁩ ago

As of version 1.14.3 I have also introduced XChaCha20 encryption (used as default) to allow both symmetric and asymmetric encryption types.

As of version 1.14.3 I have also introduced XChaCha20 encryption (used as default)

This was extremely easy to implement, not gonna lie, bit of research brought me here www.npmjs.com/package/libsodium-wrappers-sumo and from there on it was as simple as doing the UI (which is just a bunch of re-usable components, spent way too much time making sure everything is re-usable).

Now users (and I) can decide which encryption type to use in which situation, win-win i’d say, thank you for pushing me into doing this, it actually makes the whole experience 100x better and you were right in the sense that for a note taking app, a passphrase is just about enough.

source