I’m digging into OpenSSL for quite a while to find a decent encryption method to double the security of some critical GnuPG already encrypted files.
The one I came up with that seemed to satisfy my confidentiality requirements is as follows:
aes () {
openssl enc -aes-256-cbc -in $1 -out ${1}.aes -a -pbkdf2
}
Now, a friend of mine, whose crypto is a field of expertise, told me that the CBC
mode was unsecure because of possible attacks, and that I should use GCM
.
While searching on the subject, I also read this interesting thread which also rose the CBC
vs GCM
question, finally stating that the latter is not a silver bullet and that CBC
used with HMAC
would be a reasonable choice. Which suits me well as I actually use the -pbkdf2
parameter which seems to do just that.