Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Github repository for FreeNAS scripts, including disk burnin and rsync support

Github repository for FreeNAS scripts, including disk burnin and rsync support

Spearfoot

He of the long foot
Moderator
Joined
May 13, 2015
Messages
2,266
Finally got the time to get into this.

Thanks for the fix. I didn't test the new script yet because I started to go thru your script to understand it and I tried manually to make a tarball, encrypt it and then decrypt it.

Encryption went fine but when I tried to decrypt I got this error:

Code:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
34371117056:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/truenas-releng/freenas/_BE/os/crypto/openssl/crypto/evp/evp_enc.c:583:


... and no decryption. I tried to troubleshoot the command on the Github page for decryption but couldn't get it to work.
How did you encrypt the tarball? On FreeBSD 12+, the script should be using this command (line 112 in save_config_enc.sh), which includes the -pbkdf2 and -iter options:
Code:
openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -salt -S "$(openssl rand -hex 8)" -pass file:"$enc_passphrasefile" -in "$fnconfigtarball" -out "$fnconfigtarballenc" 
 

Jatrabari

Member
Joined
Sep 23, 2017
Messages
98
I used the same command, just inserting the values manually

Code:
openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -salt -S "$(openssl rand -hex 8)" -pass file:passfile.txt -in test1.tar.gz -out test1.tar.gz.enc
 

Spearfoot

He of the long foot
Moderator
Joined
May 13, 2015
Messages
2,266
I used the same command, just inserting the values manually

Code:
openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -salt -S "$(openssl rand -hex 8)" -pass file:passfile.txt -in test1.tar.gz -out test1.tar.gz.enc
Turns out you have to decrypt with the -pbkdf2 and -iter options if they were used to encrypt the file. I've modified the README file on the GitHub repository to reflect this fact.

So your decryption command needs to be something like this:
Code:
openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -pass file:passfile.txt -in test1.tar.gz.enc -out test1.decrypted.tar.gz
 
Top