File security when encrypting files directly with the openssl command / and what about SHA1 hashing password first?
See the end of this answer: what OpenSSL does to convert the passphrase into an encryption key and IV is weak, because it is just a couple invocations of MD5, which is not slow enough. There is no way to simply change that within OpenSSL (no appropriate command-line option, this is hardcoded).
Pre-hashing you passphrase would not change things much. Doing a lot of nested hashing would enhance things a bit, but not to ideal levels since the salt would not be taken into account until the very last steps (a lot of shareable precomputations would still be doable by the attacker). Password hashing, with configurable slowness and salts, is not something which tolerates improvisation. At that point, it is much safer and simpler to ditch OpenSSL altogether, and use a better tool. I suggest GnuPG: the command-line tool, with its -c
flag, does password-based symmetric encryption, and does it much better than openssl enc
.
The security of that command is directly relqted to how secure the password you pick is. As of right now aes-256-cbc isnt breakable so you can rely on some only being able to get the data from it by knowing the password.
Hashing the password will make very little difference. password hashes are used to hide the password so that even if someone got the stored password, they still wouldnt know the users password. This is completely irrelevant to encrypted files. The only benefit would be that that they will make your passphrase 40 characters long, however it would only be alpha characters of one casing and numbers. If anyone knew that it would reduce the time to crack it by a very significant amount. The benefit of using a kdf like pbkdf2 is so that it takes longer to bruteforce matching a password to a hash. So even if it was useful to use a hash at some point it would be easier to just bruteforce every possible hash instead of computing the hash. The better method is to just pick a password that would take a long time to crack.
What you should do is use zxcvbn to pick a good password and use that. Currently the worlds fastest password cracking computer can do 350 billion passwords a second, so having a 20+ character passphrase plus using zxcvbn to ensure it cant be cracked with something like a dictionary attack will ensure that your file wont be able to be cracked within the next millennia even if they have a thousand of these computers.