OpenSSL CLI File encryption with AES-256-CBC

1
votes

Currently i am encrypting sensitive files using the following OpenSSL Command:

openssl aes-256-cbc -a -salt -in large_file.zip -out large_file.zip.enc

and to decrypt:

openssl aes-256-cbc -d -a -in large_file.zip.enc -out large_file.zip

This is working fine so far, but being as i don't have much experience with encryption and cryptography i'm looking for some insight into if this is the best way to do things.

Am i encrypting/decrypting the file correctly? Am i making full use of AES-256 this way? Am i doing something wrong here that may impact the security of the encrypted file?

Comments/Replies are greatly appreciated.

Daniel.

PS: I'm not quite sure if this belongs in superuser or stackoverflow, please advise.

1
encryptionopensslaes
I think this belongs either on security.stackexchange.com or crypto.stackexchange.com. The lack of a programming question means it is not suitable for StackOverflow. I would suggest you close the question and repost in either of the two referenced sites. - Duncan Jones

1 Answers

2
votes

It can be secure, given the password is secure enough, and given that you only expect confidentiality. It is impossible to say if anything is secure without the use case, threat model and specific system setup though.

The OpenSSL password based key derivation methods are secure, and so is AES-256 in CBC mode. That said, modern crypto often uses some kind of integrity/authentication as in a secure mode of encryption such as GCM or by adding a MAC (using a separate key).

It's more something for http://security.stackexchange.com, although you may get closed/voted down if you don't show enough research etc.