Namaste Rodrigo, Thank you for your reply.
> Sent: Friday, January 03, 2020 at 5:43 PM > From: "Roderick" <hru...@gmail.com> > To: "Aham Brahmasmi" <aham.brahma...@gmx.com> > Cc: misc@openbsd.org > Subject: Re: Request for recommendation - encryption and signature for file > backup > > > I would perhaps write a script that calls openssl for encripting and > signing, rsync to send new files, something simple. > > I do use openssl for encrypting files in my laptop. > > Rodrigo If I am not wrong, some time ago, solene@ wrote a blog post about using openssl for encrypting files. She later modified it to recommend existing backup tools. I think there was some feedback with respect to her usage of openssl and cryptography, but I do not exactly remember what it was. I cannot find the original blog post, but the modified one is available at https://dataswamp.org/~solene/2018-06-26-openbsd-easy-backup.html Perhaps, may be solene@ would be able to throw more light on the openssl feedback. > > On Thu, 2 Jan 2020, Aham Brahmasmi wrote: > > > Namaste misc, > > > > What tool(s) would you recommend to encrypt and sign a file - correctly > > - for backup? > > > > I possess a limited ability to read code, and I am certainly not a > > cryptographer. > > > > In my limited understanding, to securely backup and restore a file, the > > steps are: > > > > To backup: > > Step 1 - encrypt the file using a tool > > Step 2 - sign the encrypted file using a tool > > Step 3 - backup the signature and the encrypted file > > > > To restore: > > Step 1 - verify the encrypted backup with its signature > > If Step 1 exits with success, > > Step 2 - decrypt backup to file > > If Step 2 exits with success, > > Step 3 - use file to restore > > > > For the tools to encrypt and sign, I think I may use the following: > > > > For encryption: encpipe > > encpipe (https://github.com/jedisct1/encpipe) is ISC licenced, written > > in C by Monsieur Denis and seems simple. If there is one thing that I > > know - and I admit I don't know much - all things being equal, simple > > beats complex. > > > > However, I do not understand the math underlying the tool or whether all > > things are indeed equal - possible attack vectors, mitigations et al. > > And hence, my request. > > > > For signature: signify > > I think signify may suffice for signature. For other platforms, minisign > > (https://github.com/jedisct1/minisign) is compatible with signify. > > > > Dhanyavaad, > > ab > > ---------|---------|---------|---------|---------|---------|---------|-- Dhanyavaad, ab ---------|---------|---------|---------|---------|---------|---------|--
