Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
aescrypt is simpler to use for encrypt/decrypt of single files. openssl is more a Swiss-army knife. There are a lot of wrong ways to use it.
What did you hear about passwords? openssl has multiple ways of generating a key from a password, so it's another thing that can be done wrong with openssl.
If distro built-in OpenSSL supports AES encryption, does a tool like https://www.aescrypt.com/ add any benefit?
As noted above, it’s easier to use. But there are a few things with that tool that bother me.
It uses a custom key derivation function, and a pretty weak one by today’s standards (just hashing the password ~8000 times with SHA2-256). It would be better to use PBKDF2 or, even better, something like scrypt or Argon2.
It uses a custom file format, which to my knowledge is supported by no other tool. This means that any file encrypted by AESCrypt can only be decrypted by AESCrypt. The format is described, but the description does not give all the details that would be required to implement a compatible decryptor (for example, one needs to read the actual source code to find out how the key is derived from the password, because the format documentation does not say a word about it). The format is also vulnerable to ciphertext manipulation attacks, something the developer seems to be in no hurry to fix.
And behaviors such as this:
Quote:
Bug: Typing "aescrypt -d -o input_file.aes" (forgetting to enter the actual output filename) will result in deletion of the input file
would finish to convince me not to approach this tool with a barge pole.
If you want to encrypt files, my advice would be to use GnuPG. It’s present in most if not all distributions (many distributions use it as part of their package distribution systems to ensure package integrity). It’s a well-tested tool which uses a well-described and specified standard format (OpenPGP). While it is primarily intended for public-key cryptography, it can also be used for password-based symmetric encryption if that’s what you want.
second part
OpenSSL has a "-a" switch, which presumably simplifies the character set of the encryption.
I was warned against encrypting a binary, but I don't know what he meant:
a) 'Don't encrypt any binary file, OpenSSL encryption is for text', OR
b) 'Don't create a binary encrypted file, always use the -a switch.'
Which is the accurate intention?... why?
first part
I read you mean OpenSSL is mainly a more complex tool.
Quote:
Originally Posted by smallpond
aescrypt is simpler to use for encrypt/decrypt of single files. openssl is more a Swiss-army knife. There are a lot of wrong ways to use it.
What did you hear about passwords? openssl has multiple ways of generating a key from a password, so it's another thing that can be done wrong with openssl.
Last edited by JASlinux; 04-15-2021 at 05:39 PM.
Reason: grammar
If you want to encrypt files, my advice would be to use GnuPG. It’s present in most if not all distributions (many distributions use it as part of their package distribution systems to ensure package integrity). It’s a well-tested tool which uses a well-described and specified standard format (OpenPGP). While it is primarily intended for public-key cryptography, it can also be used for password-based symmetric encryption if that’s what you want.
I approve of GnuPG for messaging.
My interest in comparing the other two tools is for on-the-fly local encryption of individual files, both text and binary.
Here-to-fore I've been using compression archives (.zip, .gz, etc. ), but was turned onto AES and other specifications.
I'm not sure the limits placed on binary encryption.
Compatibility is critical. AES should be AES no matter which tool we're using.
Compatibility is critical. AES should be AES no matter which tool we're using.
But the encryption algorithm is but a small part of what you need to take into account if you care about compatibility.
Just because two tools are using AES does not mean they are compatible. Case in point: A file encrypted with openssl enc cannot be decrypted with aescrypt, and a file encrypted with aescrypt cannot be decrypted with openssl enc.
For compatibility to exist, you need the different tools to agree on the way to use the encryption algorithm, the way to derive the encryption key from the password, the way to store the encrypted data on file…
Specifying this kind of details is the role of a standard encryption format, such as OpenPGP. A file encrypted with an OpenPGP-compliant tool can be decrypted by any other OpenPGP-compliant tool. For example, a file encrypted by GnuPG can be decrypted by Sequoia-PGP, or by any application built using a OpenPGP library (rnp, BouncyCastle, OpenPGP.js…).
Just because two tools are using AES does not mean they are compatible. Case in point: A file encrypted with openssl enc cannot be decrypted with aescrypt, and a file encrypted with aescrypt cannot be decrypted with openssl enc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.