[aborsy]

I am not sure if I follow.

A symmetric key of length 128 bits has only 64 bits of security with quantum computers. The age developer mentioned this in a GitHub issue (although I think the fact that the security level is only 128 bits is very important and shouldn’t have been tucked away in the GitHub issues brought about by someone else; it should have been highlighted in the documentation, which doesn’t mention the security guarantees).

Here is part of the code, considering that the file key is 128 bits.

salt = ephemeral share || recipient info = "age-encryption.org/v1/X25519"

shared secret = X25519(ephemeral secret, recipient) wrap key = HKDF-SHA-256(ikm = shared secret, salt, info)

body = ChaCha20-Poly1305(key = wrap key, plaintext = file key)