Encrypting With Passwords - Encryption of Key vs. Data

The main advantage of using an intermediate key is that is allows changing your password without reprocessing all the data.

E.g. you have a big file (gigabytes...) encrypted with random key K (a 128-bit value), and K is itself encrypted with P (the key derived from the password). If you change your password, you get a new password-derived key P'. To adjust things, you must then decrypt K with P and reencrypt it with P'. This does not require reencrypting or even accessing the big file.

Apart from that advantage, using an intermediate key decouples the operation, which is more flexible. For instance, the process used to turn the password into a symmetric key might not be up to the task of producing a key of the length you want for bulk encryption (for instance, bcrypt will produce a 192-bit key, not a 256-bit key).

Another advantage of the intermediate key is that it allows revealing files. For instance, you have your big file, and you want to show it to Bob. But you do not want to give your password to Bob; you want Bob to be able to see that single file, not all other files which are morally encrypted with the same password. With the intermediate key, this is easy: you just show K to Bob. As long as each file has its own random K, this works.

Note that the model extends to asymmetric encryption: a file sent to n recipients will be encrypted once with a random key K, and K will be encrypted with the public keys of each recipient. This is how things work in OpenPGP. The corresponding advantages map to the password-based situation as well.

It allows the user to change the password without having to encrypt again all the data.

If you used directly the password to encrypt the data, then a password change would potentially take a very long time because the whole data will need to be deciphered using the old password and ciphered again using the new one. And what about if this process is interrupted in the middle, when half of the data is encrypted with the new password while the other one still with the old one?

Thank to the system you describe, when the users wants to change his password, all that is needed is to encrypt the data key with the new password. Just quick, simple and reliable.