[Cryptography] how to encrypt for the very long term?
kentborg at borg.org
Mon Jul 30 17:18:32 EDT 2018
I think you have to ask yourself what failures you are most afraid of.
The two obvious ones:
1) The wrong person gets access to your unencrypted data.
2) The right person cannot get access to your encrypted data.
Which would be worse for your case? #2 might be harder than you think.
Possibly technological change will slow down about now, but I wouldn't
count on it. Which means more than twenty-years is truly a long time. I
would be very worried about software needed to access your data not
existing or not runnable on existing hardware or not still being
compatible with old data formats.
I would also worry about bit-rot in whatever media you use to store your
data. And I would worry about working hardware still existing for your
media, and still supported by existing drivers, to read your physical media.
Obviously I would worry about keeping passphrases secure AND not
forgotten for twenty-years.
Finally, I would worry about the right person knowing how to recover
your encrypted data in twenty-years. Being too obscure might be an
ironic way to lose your data. (How motivated and resourced and
interested in the data is this person in twenty-years?)
I would not be worried that AES-256 is going to be broken.
Superencrypting with some other algorithm wouldn't hurt (providing keys
and passphrases are completely unrelated!), but it might not help.
(Remember, there is no such thing as double-DES. Because it is no
stronger than single-DES!) Superencryption is trickier than you might
guess, and it would certainly make recovery procedures harder.
I would recommend the most standard, and most likely to stay living,
software I could, and that is probably gnupg, running on Linux, using
other standard Linux (nee Unix) tools (split!). Some version of
something Unix-like will still exist in twenty years, and gnupg and
other classic tools will likely run on it. Who cares if gnupg doesn't do
key-extension as well as you want, I don't think you should trust key
extension: I think you need really good passphases, which means lots of
real entropy going into their generation and encoded in a long string
independent of the defensible minimum entropy (remember, an encryption
passphrase is different from a login password--completely different).
Mostly, I would redefine the problem if I could. Why is anyone
interested in this data in twenty-years or more? Why has someone
preserved and kept secure any passphrase for so long?? Presumably
because there is some institutional interest in this data. If so, secure
the data carefully now, but delegate responsibility for maintaining it
to said institutional interest: Copying to new media before the old bits
die or become too obsolete, re-encrypting in new formats before the old
formats die or being too obsolete. Regularly revisit these issues to
make sure they still have access to this important data.
The hardest part of this problem is *not* the encryption itself. (It
mostly never is.) All the surrounding issues are the hard parts.
More information about the cryptography