[openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?

Michael Wojcik Michael.Wojcik at microfocus.com
Mon Nov 5 13:47:07 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Nicholas Papadonis
> Sent: Saturday, November 03, 2018 13:03

> https://security.stackexchange.com/questions/182277/is-openssl-aes-256-cbc-encryption-safe-for-offsite-backup

Thanks. Yes, that's talking about the CBC mode malleability issue, which Hanno Boeck described.

I didn't want to assume you were referring to CBC malleability, because your original email implied you were talking about an issue specific to OpenSSL and referred to a pipeline at one point. Making assumptions that discard conflicting information can be dangerous when discussing security-related matters. (CBC malleability applies to all use of CBC mode, regardless of implementation or underlying block cipher. A cryptosystem using CBC has to provide some kind of message integrity to prevent it.)

> No regulatory requirements.  I'm a personal user making sure to take best practices into account for
> securing data.  I also have the assumption that there are numerous attack vectors in involved in storing
> computer data, all the way back to the design and manufacturing process.  I.e. you need to design,
> manufacture and test your own computer to be truly secure.

As with standards, the great thing about "best practices" is there are so many sets to choose from.

Here's the thing: There is no such thing as "truly secure". Security is not an absolute state. There are various ways to model it, but it's always in some sense economic. You can look at the relative costs of attack and defense, and the value of the protected system to the attacker and the defender; you want to maximize the cost of attack, preferably so that it makes access unprofitable, while keeping the cost of defense within an appropriate budget. (Note that "cost of defense" includes things like usability for authorized users and risk of data loss if a key or ciphertext is corrupted; it's not just material and effort.) You can also model security in terms of the probability of various types of adverse events (unauthorized data exposure, alteration, or loss, in this case) and the costs to you of those events - you want to minimize the sum of the probability-cost products.

Understanding security as relative rather than absolute also means that "best practices" will depend on your threat model and security budget.

Now, all that said: In this particular case, if you're weighing using the openssl command-line utility or gpg, use gpg (in symmetric-encryption mode). For the reasons Hanno and I mentioned here on openssl-users, and the reasons given in that StackExchange thread. The openssl utility isn't intended for this; gpg is.

Some people have suggested some other alternatives, such as encrypted filesystems. There are also inexpensive encrypting USB drives and the like, which are good for some use cases.

> I want to keep at least two copies of data in different locations for disaster recovery.  Each copy itself should
> have a backup stored with it in case of a bit error.

OK. It's good to consider and mitigate various failure modes.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list