DietPi-Software | GLOBAL_PW: OpenSSL key decrypt deprecated key derivation

[MichaIng]

 DietPi-Update
─────────────────────────────────────────────────────
 Mode: Running incremental patching

[ INFO ] DietPi-Update | Current version : v6.17.9
[ INFO ] DietPi-Update | Latest version  : v6.18.2
[ INFO ] DietPi-Update | Patching 6.17.9 to 6.18.9
[  OK  ] DietPi-Software | Initialized database
[  OK  ] DietPi-Software | Reading database completed
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[ SUB2 ] DietPi-Software > Automated reinstall

root@VM-Buster:~# dietpi-software
[  OK  ] DietPi-Software | Root access verified.
[  OK  ] DietPi-Software | RootFS R/W access verified.

[  OK  ] DietPi-Software | Initialized database
[  OK  ] DietPi-Software | Reading database completed
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[  OK  ] DietPi-Software | Connection test: https://deb.debian.org/debian/

openssl enc -base64 -d -aes-256-cbc -nosalt -pass pass:XXX seems to use some deprecated method. But I don't know enough to solve this. Simply adding/replacing the provided arguments does not work, lead to error or bad output. I guess encryption needs to be adjusted as well?

Not urgent, since this shows up on Debian Buster (testing) only, but should be easy to fix, if one knows how to use openssl 😉.

[Fourdee]

openssl/openssl#7231 (comment)

[sfetome]

It should warning the user and let the user to make the decision.
I can't even decrypt my old data. that is horriable.
funtunately, i have another box shipped with old openssl version.

please help to give the ordinary user, like me, a way to migrate to new version.

openssl/openssl#7231 (comment)

[MichaIng]

@sfetome
Are you sure that your issue is related? Are you on Debian or Raspbian Buster?
cat /etc/debian_version

Also the issue is currently visual only here, so decrypting works still well, just the warning is annoying.

EDIT

Ah sorry found your post in the OpenSSL-side issue, so I guess you don't use DietPi or even Debian as OS?

[MichaIng]

Had another look into this:

• -iter N invokes -pbkdf2 with a defined amount of iterations.
• -pbkdf2 uses a "default" amount of iterations. While I found certain sources stating this is 1000, comparing the encryption times I believe it's 10000.
• However as this default might change, we should use -iter N to set a definite iteration count, to assure decryption is still possible even with OpenSSL updates and possibly changing defaults.

The problem is that the above options are not yet available in Stretch (and Jessie). So this has to be implemented for Buster only.

Other things we can do:

• Use -salt. Not sure why we not use it currently? Encryption/decryption takes more time, but still just a fraction of a second.
• Use -in/-out to read/write to the password file, instead of cat/>.

Aside from that -aes-256-cbc still seems to be the preferred cipher.

---

Finally:

2019-03-03 17:49:29 root@micha:/tmp# echo 'dietpi' | openssl enc -a -e -out file -aes-256-cbc -iter 10000 -pass pass:test
2019-03-03 17:49:55 root@micha:/tmp# openssl enc -a -d -in file -aes-256-cbc -iter 10000 -pass pass:test
dietpi

[MichaIng]

PR merged: #2625

[sfetome]

@MichaIng
sorry for report issue into wrong project
i meet the issue after i upgraded my git-windows. i have downgraded it already.
it use the openssl version of 1.1.? as far as i remember.
It use openssl as one default option. i use openssl from git-bash or in manner of run my shell script with bash.exe, say bash password_decrypt.sh.