Score:0

Is OpenSSL enc using AES-256-CBC to encrypt large files safe?

jp flag

I first generate a keyfile with openssl rand -hex 64 -out keyfile.

I then encrypt the file with openssl enc -aes-256-cbc -salt -in large_file.zip -out large_encrypted.bin -pass file:./keyfile.

I am encrypting files sized anywhere from a few bytes to 1TB. I will be using this in a simple bash script.

  1. Is this secure in 2021? Should I use a different cipher?
  2. Can any metadata leak from the encrypted file?
  3. Should/can the keyfile be larger than 64 bytes?
  4. Should I create new keyfiles for each file I encrypt?
  5. Is there a minimum/maximum file size this can encrypt? Do different file sizes affect security?
  6. Is this considered "rolling my own crypto" (which I know is widely discouraged)?
kelalaka avatar
in flag
Why do you choose CBC instead of AES-GCM or ChaCha20-Poly1305. Encrypted data only contains IV nothin more since AES is secure. Well, why don't you use a VeraCrypy volume to store these files? Also see [this](https://crypto.stackexchange.com/a/87033/18298)
SAI Peregrinus avatar
si flag
OpenSSL command line only supports less-secure modes like CBC. A VeraCrypt volume would use XTS, which also isn't an AEAD. It's also a lot harder to ensure no nonce reuse with file encryption and a short nonce like GCM uses. XChaCha20-Poly1305 can use a random nonce safely due to its eXtended nonce length.
henderson avatar
jp flag
I need to encrypt files on demand and individually. VeraCrypt does not seem to be able to do that. OpenSSL is not a requirement, it is just the best tool I've found that fits (or at least, seems to fit) my requirements. @SAIPeregrinus
SAI Peregrinus avatar
si flag
https://age-encryption.org is what I'd recommend. It's built for file encryption, can generate a secure passphrase (eliminating the weak password problem), and uses an actual AEAD unlike OpenSSL, Veracrypt, and GPG. Example use: `age -p -o output.age input.txt` would encrypt `input.txt` into a file `output.txt` and print the passphrase it used. You could also pass in your own passphrase, but I recommend against this. If you want to encrypt lots of files, use its SSH key options.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.