[Cryptography] how to encrypt for the very long term?

Kent Borg kentborg at borg.org
Mon Jul 30 17:18:32 EDT 2018 

I think you have to ask yourself what failures you are most afraid of.

The two obvious ones:

  1) The wrong person gets access to your unencrypted data.

  2) The right person cannot get access to your encrypted data.

Which would be worse for your case? #2 might be harder than you think.

Possibly technological change will slow down about now, but I wouldn't 
count on it. Which means more than twenty-years is truly a long time. I 
would be very worried about software needed to access your data not 
existing or not runnable on existing hardware or not still being 
compatible with old data formats.

I would also worry about bit-rot in whatever media you use to store your 
data. And I would worry about working hardware still existing for your 
media, and still supported by existing drivers, to read your physical media.

Obviously I would worry about keeping passphrases secure AND not 
forgotten for twenty-years.

Finally, I would worry about the right person knowing how to recover 
your encrypted data in twenty-years. Being too obscure might be an 
ironic way to lose your data. (How motivated and resourced and 
interested in the data is this person in twenty-years?)


I would not be worried that AES-256 is going to be broken. 
Superencrypting with some other algorithm wouldn't hurt (providing keys 
and passphrases are completely unrelated!), but it might not help. 
(Remember, there is no such thing as double-DES. Because it is no 
stronger than single-DES!)  Superencryption is trickier than you might 
guess, and it would certainly make recovery procedures harder.

I would recommend the most standard, and most likely to stay living, 
software I could, and that is probably gnupg, running on Linux, using 
other standard Linux (nee Unix) tools (split!). Some version of 
something Unix-like will still exist in twenty years, and gnupg and 
other classic tools will likely run on it. Who cares if gnupg doesn't do 
key-extension as well as you want, I don't think you should trust key 
extension: I think you need really good passphases, which means lots of 
real entropy going into their generation and encoded in a long string 
independent of the defensible minimum entropy (remember, an encryption 
passphrase is different from a login password--completely different).


Mostly, I would redefine the problem if I could. Why is anyone 
interested in this data in twenty-years or more? Why has someone 
preserved and kept secure any passphrase for so long?? Presumably 
because there is some institutional interest in this data. If so, secure 
the data carefully now, but delegate responsibility for maintaining it 
to said institutional interest: Copying to new media before the old bits 
die or become too obsolete, re-encrypting in new formats before the old 
formats die or being too obsolete. Regularly revisit these issues to 
make sure they still have access to this important data.


The hardest part of this problem is *not* the encryption itself. (It 
mostly never is.) All the surrounding issues are the hard parts.


-kb

More information about the cryptography mailing list