I need to encrypt daily backups, then upload them to untrusted cloud storage (s3, dropbox, etc.)
I received help on security.se and crypto.se to formulate this approach:
- tar and xz the backup file
- create random 32 byte (symmetric) "session" key (
head -c 32 /dev/urandom
) - encrypt backups using session key
- encrypt session key using my "master" (asymmetric) keypair's public key
- upload encrypted backup file and encrypted session key
Result:
- Every backup has unique symmetric session key
- Only my master keypair's private key can decrypt session keys
- My private key is stored locally only
- Encryption process is completely automated; no passphrases required
However then I tried to implement this with gpg
and stumbled over some items.
Once I generate a session key, how do I use it? I thought it was supposed to be the passphrase in gpg --symmetric --passphrase $SESSION_KEY ...
, but apparently that's not how it's done.
I did more digging and discovered that gpg does almost everything symmetrically, and that a session key is already generated and included in each encrypted file automatically (in the header). So most of the above is done automatically for me.
So, how do I use the session key (if at all)? I understand the theory, but not how to implement it with gpg
.