Need to implement a gpg/gpg2-compatible tool to encrypt millions of files in unsupervised mode

Robert J. Hansen rjh at sixdemonbag.org
Thu Jul 25 23:26:28 CEST 2019


> Pardon my ignorance, but I gather from this example that I would have
> to manage not only passphrases but also iv's as well?  (That would add
> to my work's complexity.)

An AES256 key is only 32 bytes long; an IV, only 16.  Keeping track of
48 bytes to decrypt your files isn't exactly a lot.  You can fit this on
the back of a business card with room left over.  I've done it before.

Passphrase-based crypto works by converting a passphrase into a
(seemingly) random series of bytes.  The problem is OpenSSL's
passphrase-to-bytes routine is pretty badly substandard.  Specify your
own key and IV.

> In fact, if I could have it my way, I would use a library that does
> nothing more than AES256-encrypt/decrypt (as long as I had any
> confidence that it would still be maintained 5 years from now).

Which language are you looking to use?  C#, Java, and Python all include
AES256 in the standard library and have excellent long-term support.
Many other languages offer it as well.  Python has some excellent PyPI
packages like passlib and Crypto which can make your task much simpler.

> In other words, I would love to use a single-purpose tool that is to
> AES256-encryption/decryption what, for example, gzip is to
> compression/decompression.

OpenSSL.  Look at the command line I gave you: it's used as part of a
pipeline that creates a tar archive and encrypted output all in one go.

> I assume that by this you mean that OpenSSL will still be around 10-15
> years from now

Yes.

We're getting pretty far afield from GnuPG here: please feel free to
follow up off-list.  Thank you!  :)



More information about the Gnupg-users mailing list