I used to use openssl aes-256-cbc, but the problem I have with this is when I try to decrypt in a different version of the distro it fails, as if it depends also on some internal key or something, instead of depending solely on the password. So I have to keep a different encrypted file for each version of the distro, which is annoying and bad.
Any suggestions?
agefor such use. https://age-encryption.org – SAI Peregrinus Apr 05 '21 at 13:35openssl encwith the same arguments (except for-e/-dand excluding-pbkdf2or-iterin 1.1.1), and assuming no password/phrase character encodes differently, should be compatible across platforms EXCEPT between versions 1.1.0 up and those below, and those can be fixed with-md $hash. For (long) details see (my) https://crypto.stackexchange.com/questions/3298/is-there-a-standard-for-openssl-interoperable-aes-encryption/#35614 . That said,openssl encis weak, and there are alternatives like gpg. – dave_thompson_085 Apr 06 '21 at 00:42cryptsetup? this gives you stronger password-based KDFs, (addressing one of @dave_thompson_085 's concerns) and relative portability, but with a smaller header as a tradeoff //cryptsetup --type=luks2 --pbkdf=argon2id --pbkdf-memory=1048576 --pbkdf-parallel=4 --pbkdf-force-iterations=8 --hash=sha384 --luks2-metadata-size=16k --luks2-keyslots-size=$((512*1024)) --master-key-file=trial_master_key --uuid=12345678-abcd-1234-abcd-0123456789ab luksFormat /dev/new_luks_partition1.. I read somewhere that you can also performcryptsetupon a loopback device. – brynk Apr 08 '21 at 20:48opensslto produce the output, you might consider using it to secure a random key that you'd used previously to encrypt a file (eg, with7z) seeopenssl pkeyutl -derive– brynk Apr 08 '21 at 21:03python3installed, which allows for using Pysodium to secure the file/output with crypto boxes – brynk Apr 08 '21 at 21:15