I have written the following python script to derive a key from password using hashlib.scrypt and then passing the hexadecimal encoded key to gpg, please tell me whether this is a secure approach. This is for my personal backups and I am trying to put together something that is simple, reliable and does not require too much custom development.
Using scrypt because gpg uses s2k with SHA512 which, to the best of my knowledge, is just a hashing algorithm and not a KDF (enlighten me if I am missing something here).
def encryptFile(tarFile):
N = 2**16
R = 8
P = 2
mem = N * P * R * 65
salt = "some random hardcoded salt"
passPhrase = "user provided password"
key = scrypt(password=passPhrase, salt=salt, n=N, r=R, p=P, maxmem=mem).hex()
subprocess.run(
[
"gpg",
"--no-symkey-cache",
"--verbose",
"-o",
gpg_output_file,
"--s2k-mode",
"0", # using hexadecimal key derived from password using scrypt
"--symmetric",
"--s2k-cipher-algo",
"AES256",
"--pinentry-mode",
"loopback",
"--passphrase",
key,
tarFile,
]
)
You need to sign in to view this answers
Leave feedback about this