Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL encryptor: deprecated key derivation used #949

Open
jspeedz opened this issue Sep 5, 2019 · 1 comment
Open

OpenSSL encryptor: deprecated key derivation used #949

jspeedz opened this issue Sep 5, 2019 · 1 comment
Labels
good first issue Someone take a look at this!

Comments

@jspeedz
Copy link

@jspeedz jspeedz commented Sep 5, 2019

What went wrong?

I'm getting deprecation warnings with openSSL encryption.

[2019/09/05 08:38:52][info] Using Encryptor::OpenSSL to encrypt the archive.
[2019/09/05 08:40:22][warn] Pipeline STDERR Messages:
[2019/09/05 08:40:22][warn] (Note: may be interleaved if multiple commands returned error messages)
[2019/09/05 08:40:22][warn]
[2019/09/05 08:40:22][warn] *** WARNING : deprecated key derivation used.
[2019/09/05 08:40:22][warn] Using -iter or -pbkdf2 would be better.

What steps did you follow?

  1. backup perform --trigger config
  2. Check the log output

How is your copy of backup configured?

Use config encryption step:

encrypt_with OpenSSL do |encryption|
encryption.password = 'Some password'
encryption.base64 = true
encryption.salt = true
end

Tell us about the computer that runs the backup gem

  • Operating system: Ubuntu 18.04.2 LTS
  • Backup 4.4.1
  • openssl version OpenSSL 1.1.1 11 Sep 2018
@elthariel elthariel added Someone take a look at this! good first issue labels Dec 9, 2019
@jenrzzz
Copy link

@jenrzzz jenrzzz commented Feb 21, 2020

This can be fixed with a monkeypatch in config.rb.

module OpenSSLFixDeprecatedKeyDerivation
  def options
    super + ' -pbkdf2'
  end
end

require 'backup/encryptor/open_ssl'
Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)

OpenSSL 1.1.1+ or LibreSSL 2.9.1+ will be required to decrypt, and you'll need to pass -pbkdf2:

openssl aes-256-cbc -d -md sha256 -pbkdf2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Someone take a look at this!
Projects
None yet
Development

No branches or pull requests

3 participants