Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Apologies if this has been asked before. I am looking to encrypt documents befor

ID: 654063 • Letter: A

Question

Apologies if this has been asked before.

I am looking to encrypt documents before storing in the cloud.

There will be a separate metadata storage, which could be either internal or cloud hosted.

My strategy would be to generate a new symmetric key for each document (or batch of documents if key generation is expensive), and then to encrypt the key used with another 'global' key (symmetric or asymmetric) and recording this encrypted key within the metadata storage.

The documents are safe so long as the global key is not compromised, but it could make key management easier since changing the global key means reencrypting the key used in metadata only, rather than having to reencrypt the cloud hosted document.

Does this sound a sensible strategy, or is there a better one you could recommend?

Explanation / Answer

First, it's no problem to use a different symmetric key for each document, generation is easy as you just have to generate a 16-64 byte random string, a matter of a millisecond (mostly).

As threats I guess you consider your cloud hoster and anyone who can get their hands on the documents.

The approach you propose should work.
The document needs to be encrypted and authenticated using an AEAD mode like AES-GCM.
You add a header (which may be stored on the metadata storage, no matter where), which is authenticated and encrypted (using an AEAD mode like AES-GCM) using your master-key.

Scenario 1: You do this for personal access. You can store the metadata locally or on the cloud, it won't make a difference.
You should use password-based key derivation to derive the master key from your password. The master-key will be symmetric and be used to encrypt+authenticate/decrypt+verify the file-header.

Scenario 2: You do this for a company, or a larger group of people. You should go with cloud-hosting the meta-data so everyone has access if needed.
You store the header encrypted as described above.
You give everyone a copy of the master-key, so they can encrypt it using their very own password (again using authenticaed encryption + PBKDF)

Related Questions

Aplia: Student Question x -o c courses aplia.com/at ser let/quiz?ctx-sarna-0004&
Question #1208336
Aplia: Student Question x = takeQuiz&quiz-probGuid-QNAPC0A801; 01 0000003b 1 67d
Question #1115297
Aplia: Student Question x CDcourses aplia.com/at servlet/quiz?quiz action-takeQu
Question #1223225
Aplia: Student Question x on: takeQuiz&quiz-probGuid-QNAPC0A80; 101 0000003b 167
Question #1116799
Aplia: Student Question x s://courses.aplia.com/af/servlet/quiz?quiz actiona boo
Question #2615478
Aplia: Student Question xO Aplia ch. 5 Q.6 YouTub x G time horizon and elasticit
Question #1189524
Aplia: Student Question z?quiz action-takeQuiz&quiz; probGuid QNAPCOA80101000000
Question #1115696
Aplia: Student Question- Mozilla Firefox a courses aplia.com/af/servlet/quiz?ctx
Question #1124430
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Apolof1125 adults in a certain contry found that 29% themselves as the followers
Next
Apologize for the bad cropping, please answer the questions pertaining to the gr

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.