[Canada]

TLS and AES-CBC aren't comparable.

AES-CBC is just a block cipher mode of operation. TLS is a protocol that takes care of negotiating algorithms for key exchange, bulk encryption (which may be a block cipher using some mode), authentication, etc. All of these things combined is the "suite" of ciphers. Implementations provide decent tooling for managing keys and preferences.

Like TLS, GPG uses a suite of ciphers to do its job and provides tools to manage it without getting caught up in extremely low level details. Like TLS, the default suite of algorithms it prefers change with the times, but from a user perspective it stays the same.

[scottpiper]

I'm the author of the blog post in question (and have no idea why HN won't let me reply to the original post). For some clarity here, the "untrusted" third party is Google, whom I don't want to read my data, but I trust that they will not modify my backups. However, in the article I do gzip the files before encrypting them, and gzip has a CRC-32 check, so if the files were modified, then after decryption when you attempted to gunzip them, it would error.

I used openssl because I find GPG on servers is awkward to use.

The full article is more clear that I have only one private key, and for all the nightly backups I'm generating AES keys and encrypting them with the public key.

[Canada]

I don't know why HN disallows reply in certain circumstances. If you replied to the original post I never would have seen your reply.

If you don't care if the third party can modify your data, then OK. If you did care though, does this checksum stop "tar xvzf foo.tgz" from writing modified data immediately? Or does it just tell you at the end?

[scottpiper]

Probably just at the end. My goal is disaster recovery (AWS disappears as a service to the world because an Amazon employee accidentally `rm -rf` everything, or my own admin `rm -rf`'s my account on accident) so for those situations, I'm going to need to extract out the data somewhere and then rebuild, so checking at the end of the extraction and unzip is fine for my needs.

[bwackwat]

Ok so I guess the resulting lesson from Canada for me is that having a HASH or MAC for encrypted files is the most critical part of any secure system OP is interested in.

Furthermore, Canada, what about privately managed machines communicating via TCP and AES 256 CBC symmetrically encrypted messages? I also use a random salt and a transaction number.

Until now, I was thinking that successfully decrypted data would be safe. Is the case for TCP encrypted data the same? I need to have a MAC for each message and verify that between ACK's or something?

EDIT: Did some research: https://en.wikipedia.org/wiki/Authenticated_encryption

It looks like incorporating a MAC within or alongside the encrypted data is not as insecure or as complex as I was afraid.

Can both my TCP encryption and OP's file encryption problem by solved by just appending a HASH of the encrypted data to the end of the encrypted data (EtM), or appending a HASH of the plaintext data to the end of the plaintext data and then encrypting that (MtE)?

[Canada]

I think EtM is better than the alternatives. As for the rest of it, you need to explicitly describe your protocol and what security you think it guarantees. Then you should ask for review wherever you can. Same for your implementation.