[kwlug-disc] encrypted files with vim

[Chris Frey]

On Wed, Sep 07, 2022 at 11:17:59AM -0400, Hubert Chathi wrote:
> The common way to counter that is to use a key stretching algorithm[2]

Interesting stuff.


> I don't know if openssl does key stretching, and I find the openssl
> documentation confusing.

Openssl is more of a raw toolkit.  Plenty of rope to shoot your foot off.

The 'openssl enc' command has the -K option which lets you provide the
key directly in hex, so you can use whatever key stretching algorithm
you want before passing into openssl for the encryption part.

As far as I can tell, openssl just uses one of its supported digest
algorithms when working with the key.  On my system, that is:

	blake2b512        blake2s256        gost              md4               
	md5               rmd160            sha1              sha224            
	sha256            sha3-224          sha3-256          sha3-384          
	sha3-512          sha384            sha512            sha512-224        
	sha512-256        shake128          shake256          sm3            

'enc' also gives the -iter argument, which controls how many iterations
to use.  But!  Be aware that you will need to remember this yourself
when decrypting... it is as important as your passphrase. :-)

So in theory you can create your own key stretching using openssl
with sha3-512 or something, with an obscene number of iterations.

Fascinatingly, vim's source code has this for its default blowfish
encryption method:

	/* Process the key 1001 times.
	 * See http://en.wikipedia.org/wiki/Key_strengthening. */
	key = sha256_key(password, salt, salt_len);
	for (i = 0; i < 1000; i++)
		key = sha256_key(key, salt, salt_len);

- Chris