How to encrypt critical data with multiple keys

PGP allows you to encrypt data using multiple keys, but any key there will be able to decrypt the data. What if you want to encrypt your data so that ALL keys are required to decrypt the data? For this you can chain encryption. Here is an example on how to chain three AES256 keys.

  1. First take care of the OpSec - turn the swap off.

sudo swapoff -va

  1. Note the dev it turned off so you can turn it back on later.
  2. Now create a ramdisk

sudo mount -t tmpfs -o size=128m tmpfs /media/Temp/

  1. Move the unencrypted data to the ramdisk and zip it.

zip data/

  1. Now, create the keys and encrypt the data

    cp data.enc0 for i in {1..3}; do openssl rand 8 > salt-$i openssl rand 32 > key-$i openssl rand 16 > iv-$i openssl enc -aes-256-cbc -K $(hexdump -v -e ‘/1 “%02X”’ < key-$i) -S $(hexdump -v -e ‘/1 “%02X”’ < salt-$i) -iv $(hexdump -v -e ‘/1 “%02X”’ < iv-$i) -in data.enc$((i-1)) -out data.enc$i done

  2. Test by decrypting and checking that enc0 matches the original

    rm data.enc0 data.enc1 data.enc2 for i in {3..1}; do openssl enc -d -aes-256-cbc -K $(hexdump -v -e ‘/1 “%02X”’ < key-$i) -S $(hexdump -v -e ‘/1 “%02X”’ < salt-$i) -iv $(hexdump -v -e ‘/1 “%02X”’ < iv-$i) -in data.enc$i -out data.enc$((i-1)) done sha256sum data.enc0

  3. Document and print instructions

    for i in {3..1}; do echo -e “This data is encrypted with three AES 256 keys. To decrypt use key3 first, then key2 and key1. \nBelow is key$i\Use the following command to decrypt the data:\n\n” > instructions-$i echo openssl enc -d -aes-256-cbc -K $(hexdump -v -e ‘/1 “%02X”’ < key-$i) -S $(hexdump -v -e ‘/1 “%02X”’ < salt-$i) -iv $(hexdump -v -e ‘/1 “%02X”’ < iv-$i) -in data.enc$i -out data.enc$((i-1)) » instructions-$i echo -e “\nThe resulting file is data.enc0 which will contain fully unencrypted archive file.” » instructions-$i echo -e “\nSHA256 checksum sum for your encrypted file data.enc$i is $(sha256sum data.enc$i | awk ‘{print $1}’ )” » instructions-$i done

  4. Print the instructions. Avoid printing to a remote printer or using lpr as you may have the keys stored in logs or in a printer’s spool.

    for i in {1..3} do cat instructions-$i | fold -w 80 | unix2dos | sudo tee /dev/usb/lp1 done

  5. Save the generated data files and then do the cleanup

    rm data.enc0 rm salt-1 key-1 iv-1 data.enc1 rm salt-2 key-2 iv-2 data.enc2 rm salt-3 key-3 iv-3 sudo umount /media/Temp

  6. Turn the swap back on

swapon <dev> Check that it’s on by running free

  1. Turn off your machine an let the DRAM degrade over several hours, so there is no latent data
Based off the Stack theme.