1) Select file to send

2) Generate AES key (random)

3) Encrypt file with AES-GCM

4) Encrypt AES key with recipient's RSA pub

5) Generate SHA-256 hash of plaintext

6) Sign hash with sender's RSA priv key

7) Pack: RSA-encrypted AES key + nonce + ciphertext + signature + extension

Send .enc file

1) Read encrypted file

2) Extract RSA-encrypted AES key, nonce, ciphertext, signature

3) Decrypt AES key with recipient's RSA priv key

4) Decrypt ciphertext using AES-GCM

5) Compute SHA-256 hash of decrypted plaintext

6) Verify signature with sender's RSA pub key

7) If signature valid -> plaintext is authentic & intact

8) Save decrypted file