[Cryptography] how to encrypt for the very long term?

[Christoph Anton Mitterer]

Hey.

I'm basically looking into encryption of (backup) files for the very
long term (like at least 20 years).

The basic scenario is as follows: arbitrary files in the 20-30 TiB
range are backuped with dar (which splits into much smaller slices) and
put on tape.

Ideally, the whole thing should be resilient against data corruption,
e.g. if some bytes of the tape are lost, the remainder of the encrypted
file can still be decrypted (dar tries to recover from such broken
archives),... however this shouldn't go at the cost of security.

A (number of) passphrase(s) shall be used for encryption (i.e. not a
pubkey scheme) of the symmetric encryption key... simply because
otherwise I'd rely on the private key and would need some other
sophisticated means to backup that as well.



Even though it's most likely overkill, I'd prefer to encrypt the files
multiple times,... like e.g. first with AES, then perhaps SERPENT,
maybe even a 3rd one.

And there should be some very strong passphrase hashing algorithm (e.g.
Argon2*)... it woulnd't matter if it takes minutes on a modern CPU.

The encryption tool should be something well maintained, taking over to
get all the difficult things (padding, salting, etc. pp.) done right.
Also it shouldn't use any of the "weaker" algorithms internally (e.g.
things like SHA1 which already has certain scratches for certain use
cases).


One choice if obviously gpg with symmetric encryption, which is well
maintained, but it doesn't have e.g. SERPENT or any of the newer
ciphers around the block.
Worst point for gpg is IMP the passphrase hashing. Even with the
maximum number of iterations it's still pretty fast, so I'm kinda
fearing a brute force attack.

mcrypt seems to be unmaintained...

Anything else that can be suggested?


Thanks,
Chris.