0

I first generate a keyfile with openssl rand -hex 64 -out keyfile.

I then encrypt the file with openssl enc -aes-256-cbc -salt -in large_file.zip -out large_encrypted.bin -pass file:./keyfile.

I am encrypting files sized anywhere from a few bytes to 1TB. I will be using this in a simple bash script.

  1. Is this secure in 2021? Should I use a different cipher?
  2. Can any metadata leak from the encrypted file?
  3. Should/can the keyfile be larger than 64 bytes?
  4. Should I create new keyfiles for each file I encrypt?
  5. Is there a minimum/maximum file size this can encrypt? Do different file sizes affect security?
  6. Is this considered "rolling my own crypto" (which I know is widely discouraged)?
henderson
  • 1
  • 1
    Why do you choose CBC instead of AES-GCM or ChaCha20-Poly1305. Encrypted data only contains IV nothin more since AES is secure. Well, why don't you use a VeraCrypy volume to store these files? Also see this – kelalaka Jun 12 '21 at 11:17
  • OpenSSL command line only supports less-secure modes like CBC. A VeraCrypt volume would use XTS, which also isn't an AEAD. It's also a lot harder to ensure no nonce reuse with file encryption and a short nonce like GCM uses. XChaCha20-Poly1305 can use a random nonce safely due to its eXtended nonce length. – SAI Peregrinus Jun 12 '21 at 12:26
  • I need to encrypt files on demand and individually. VeraCrypt does not seem to be able to do that. OpenSSL is not a requirement, it is just the best tool I've found that fits (or at least, seems to fit) my requirements. @SAIPeregrinus – henderson Jun 12 '21 at 12:44
  • 1
    https://age-encryption.org is what I'd recommend. It's built for file encryption, can generate a secure passphrase (eliminating the weak password problem), and uses an actual AEAD unlike OpenSSL, Veracrypt, and GPG. Example use: age -p -o output.age input.txt would encrypt input.txt into a file output.txt and print the passphrase it used. You could also pass in your own passphrase, but I recommend against this. If you want to encrypt lots of files, use its SSH key options. – SAI Peregrinus Jun 12 '21 at 16:12

0 Answers0