1. Select file.

2. Generate random AES-256 key.

3. Encrypt file using AES-GCM.

4. Encrypt AES key with receiver’s RSA public key.

5. Create SHA-256 hash of plaintext.

6. Sign hash using sender’s RSA private key.

7. Package together:

  - RSA-encrypted AES key

  - AES nonce + ciphertext + tag

  - Digital signature

  - File extension

8. Send the .enc file.

1. Open the .enc file.

2. Extract encrypted AES key, nonce, ciphertext, tag, signature, extension.

3. Decrypt AES key using RSA private key.

4. Decrypt file using AES-GCM → get plaintext.

5. Compute SHA-256 hash of plaintext.

6. Verify signature using sender’s RSA public key.

7. If signature is valid → file is authentic and unchanged.

8. Save the decrypted file with original extension.