Brain Phrye

code cooking diy fiction personal photos politics reviews tools


Openssl Annoyances

OpenSSL 1.1.0 introduced some incompatible changes for symetric encryption. I use it for some code repos to store secrets in lieu of other options. It works just fine for a single developer, but obviously doesn’t work very well beyond that.

Recently those projects started breaking and I wasn’t sure why. The commands I used to encrypt and decrypt were, respectively, as follows:

1
2
3
4
openssl enc -aes-256-cbc -pass "pass:$SECRET" \
            -in .secrets.tar -out .secrets
openssl enc -d -a -aes-256-cbc -pass pass:$SECRET \
            -in .secrets -out .secrets.tar

The error message I got on decrypt was as follows:

1
2
3
4
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140437176114024:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:570:

Hunting around I learned that openssl changed the message digest algorithm from md5 to sha256. In order to avoid the error I just needed to change the decrypt command (first) and in the future I could use this encryption command to override the default and put the message digest back to md5:

1
2
3
4
5
openssl enc -d -a -aes-256-cbc -pass pass:$SECRET \
            -in .secrets -out .secrets.tar -md md5
openssl enc -aes-256-cbc -pass "pass:$SECRET" \
            -in .secrets.tar -out .secrets \
            -a -md md5

However I figured the default was changed for a reason. So I recreated all the encypted certs and then encrypted / decrypted like so:

1
2
3
4
openssl enc -s -aes-256-cbc -pass "pass:$SECRET" \
            -in .secrets.tar -out .secrets
openssl enc -d -a -aes-256-cbc -pass pass:$SECRET \
            -in .secrets -out .secrets.tar

I didn’t explicitly set the default so that it will fail again in the future if they change the defaults. I don’t obsessively stay up with the latest advice on encryption algorithms so I’m inclined to take on the experience of those who are far more informed.

It is interesting that the openssl release notes say 1.1.0 was released all the way back in 2016 and it only percolated down to the alpine distro this year. Or at least the version of alpine used by the docker docker container.