Improve Secrets security

[RaphGL]

stop using SHA256 and instead use a more secure algorithm such as bcrypt, argon2d or argon2id.
this is necessary to prevent user's password from being bruteforced.

[raphaelahrens]

Hi,
I looked into this one more and I think the simplest solution would be to use rage/age .

Maybe further move a way from passwords and maybe allow the use of ssh keys, since that would remove the possibility of password reuse. Alternatively you could also use age identifies.

[RaphGL]

@raphaelahrens that looks promising. I'll try and implement that into the program and deprecate the current secrets implementation.

Personally I prefer password based stuff as I use password managers heavily and never repeat the same password anywhere. But I'll take a look at the encryption options they have there, maybe I can default to the recipient based approach and then add a flag that you can use to opt into passwords or ssh? (not sure how necessary SSH is if you can do the recipient method)

[raphaelahrens]

Rage uses scrypt to derive a key from the password, but if I understood your code correct I have to set one password for each file.

So there is a possibility of password reuse.
I don't know how bad it is for scrypt if you have 10 derived keys with the same password, scrypt uses a salt so there is some protection.
Further by finding one password there is a good chance to decrypt all files.

The advantage of a key pair would be that keys are not easy to guessand while you might use a password manager to defend against this, you should not assume that everyone will.