I realize this depends on my implementation and the implementation of the libraries I use. I am asking about my process assuming that the encryption libraries and my code are not flawed/compromised, the user's password is secure and the machine is not compromised.
The goal here is to protect the confidentiality of the files with a password, and be able to encrypt them without entering a password.
Initial setup:
- Generate an RSA keypair
- Prompt user for password and assume they use a sufficiently secure one
- Encrypt private key in DER format, pkcs=8, scheme = scryptAndAES256-CBC with the user password
For each file:
- Generate a random session key of 32 bytes
- Encrypt session key with initial public key
- Generate a random nonce of 12 bytes
- Write to output file:
- Encrypted session key
- Nonce
- Encrypted file stream with AES GCM using random 32B session key and 12B nonce
When decrypting a file
- Prompt user for their password, decrypt initial private key
- Read the encrypted session key and nonce from the beginning of the file
- Decrypt the session key with the initial private key
- Decrypt the file stream with the session key and nonce
The only other things to note are that I chose GCM for its speed, over CBC for instance. I also am aware of the collision issue with using a random nonce, however I understand that this would be an issue more if I had billions of files using the same session key. And with a 32 byte random key I basically have 44 bytes of space to avoid collision. It is desirable for me to not have to keep track of a nonce.
Are there any issues with this plan or would this be a secure way to protect the privacy of files assuming the pseudo code was properly implemented?
