Need to implement a gpg/gpg2-compatible tool to encrypt millions of files in unsupervised mode
Robert J. Hansen
rjh at sixdemonbag.org
Thu Jul 25 23:26:28 CEST 2019
> Pardon my ignorance, but I gather from this example that I would have
> to manage not only passphrases but also iv's as well? (That would add
> to my work's complexity.)
An AES256 key is only 32 bytes long; an IV, only 16. Keeping track of
48 bytes to decrypt your files isn't exactly a lot. You can fit this on
the back of a business card with room left over. I've done it before.
Passphrase-based crypto works by converting a passphrase into a
(seemingly) random series of bytes. The problem is OpenSSL's
passphrase-to-bytes routine is pretty badly substandard. Specify your
own key and IV.
> In fact, if I could have it my way, I would use a library that does
> nothing more than AES256-encrypt/decrypt (as long as I had any
> confidence that it would still be maintained 5 years from now).
Which language are you looking to use? C#, Java, and Python all include
AES256 in the standard library and have excellent long-term support.
Many other languages offer it as well. Python has some excellent PyPI
packages like passlib and Crypto which can make your task much simpler.
> In other words, I would love to use a single-purpose tool that is to
> AES256-encryption/decryption what, for example, gzip is to
> compression/decompression.
OpenSSL. Look at the command line I gave you: it's used as part of a
pipeline that creates a tar archive and encrypted output all in one go.
> I assume that by this you mean that OpenSSL will still be around 10-15
> years from now
Yes.
We're getting pretty far afield from GnuPG here: please feel free to
follow up off-list. Thank you! :)
More information about the Gnupg-users
mailing list