Specify additional KDF iterations

[catleeball]

Hello!

I'm not a cryptography expert, so let me apologize in advance if this doesn't make sense for Age!

Are there any plans to allow users to tune the KDF iterations or memory usage? This might be nice particularly for user-set passphrases that might be vulnerable to dictionary or brute force attacks.

I saw in the spec under the 2019-05-26 update that you started using Argon2, and it looked like Argon2 accepted iteration and memory parameters, and I wondered if it might be useful to expose those parameters to users.

Thanks!

[FiloSottile]

Hi! The 2019-05-26 update is badly worded, but it initially used Argon2 and switched to scrypt because it's more universally available. scrypt has a single work factor parameter, which is configurable in the API: https://pkg.go.dev/filippo.io/age#ScryptRecipient.SetWorkFactor

The CLI focuses on providing an easy to use interface for most users with no config options, so it doesn't expose the same knob.

It might be a good idea to pick the default based on the machine's speed, but the problem is that we don't know the speed of the machine on which the decryption will happen.

[catleeball]

Oh, I see, thanks for explaining! That makes sense to expose it via the API but not via the CLI app given your goal to keep it zero-config.

P.S. thanks for making this tool! Looking forward to the 1.0 release (I saw there's an RC for it now!). If I can find some fun not-work hacking time, I might have to start playing with making a tool with Age. 😄

[BuriedInTheGround]

Hi! I'd like to add something on this topic based on a recent experience.

I was trying to use age to encrypt a blog post intended for strictly personal consultation with a passphrase. In my workflow, I encrypt the file using the CLI, so the default scrypt parameters are used. I deployed my site on Fly.io and noticed that I couldn't access the protected post while the server was returning 502 (everything was fine on localhost, of course 🙃).

After a bit of tinkering, I recalled that scrypt has memory requirements. According to @FiloSottile's blog post (https://words.filippo.io/the-scrypt-parameters/#estimatingscryptmemoryusage), the default parameters in age should require about 256 MiB of memory (128 * (1 << 18) * 8 = 256 MiB), which is too much for me considering that I'm using Fly free allowances that give me exactly "256mb" (https://fly.io/docs/about/pricing/#free-allowances).

If age would allow setting the scrypt work factor from the CLI, I could set the work factor to a value of 15, for example, which would correspond to a feasible requirement of 32 MiB.

As a workaround, I'm thinking of writing a small Go program to encrypt with a custom work factor. However, I will lose all the nice checks that the CLI already does.