I was thinking of implementing the following scheme for encryption of many independent files:
- From the password, which is given by the user, generate a master key using for example
- From this master key, a subkey is derived for each file. Combined with a random and unique token which is stored alongside the file,
HKDF-expandmight be used for this where the info is the random token.
- Each file is combined with a random IV and is encrypted using AES using the derived subkey.
My idea behind this is that even if an attacker were to break the encryption (i.e. somehow found the key) for a single file, all other files would still be secure because they were all encrypted using a different subkey. Does this make sense or is it easier to “reverse-engineer” the master key from a subkey if one is found?
(As as side-question, is it ok to use such a random token for
HKDF-expand? Does it provide better security than a non pseudo random string such as the file name or an increasing counter?)