encfs and OpenSSL encryption not backwards compatible?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
encfs and OpenSSL encryption not backwards compatible?
I use both encfs and openssl for basic file encryption.
Openssl at the moment will only decipher files in the version is was created in, in my case OpenSSL 1.0.2g 1 Mar 2016 vs. OpenSSL 1.1.1f 31 Mar 2020 (in a newer Linux).
I had similar compatibility problems with encfs.
Do others see this as a problem? Is it normal? Do you have a workaround or system set up to account for it?
Openssl at the moment will only decipher files in the version is was created in, in my case OpenSSL 1.0.2g 1 Mar 2016 vs. OpenSSL 1.1.1f 31 Mar 2020 (in a newer Linux).
Sorry but I cannot reproduce this.
I have just tested on 2 machines running very different OS and very different versions of openssl.
I have moved the file encoded on one machine to the other machine, and vice versa.
Read carefully:
Code:
## Debian 9
$> openssl enc -aes-256-cbc -a -pass pass:blabla -out file_debian9.enc
This is just a test
$> openssl enc -aes-256-cbc -a -pass pass:blabla -d -in file_debian9.enc
This is just a test
$> dpkg -l openssl
<snip>
1.1.0l-1~deb9u amd64
<snip>
## Archlinux
$> openssl enc -aes-256-cbc -a -pass pass:blabla -d -in file_debian9.enc
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
This is just a test
$> pacman -Qi openssl
<snip>
1.1.1.l-1
<snip>
## So far, so good. Now, the other way round - still on Arch:
$> openssl enc -aes-256-cbc -a -pass pass:blabla -out file_arch.enc
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
This is just a test
$> openssl enc -aes-256-cbc -a -pass pass:blabla -d -in file_arch.enc
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
This is just a test
## Back to Debian 9
$> openssl enc -aes-256-cbc -a -pass pass:blabla -d -in file_arch.enc
This is just a test
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The workaround is to add the option -md md5 to the new SHA256 version when decrypting old MD5 data.
From man enc
Quote:
-md digest
Use the specified digest to create the key from the passphrase.
I have just tested on 2 machines running very different OS and very different versions of openssl.
I have moved the file encoded on one machine to the other machine, and vice versa.
Test 1:
File file.aes created in 32-bit Ubuntu 14 deciphers in it, as well as 16. Here's 19:
Code:
# openssl enc -aes-128-cbc -d -in file.aes | less
enter aes-128-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
3072698112:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:564:
EU^U<A0><DA>2^F<84>^B<FB><BB>G<E1>[<E5>^]<A2><D8>^?t<C6>Y<E4><8E><FC><B5>e<C5>^E<C8><EB>c<A2>w v+<94><96>0<A9><E2>^V<83>a<AE><8A><B8>
(END)
Curious, I am not trying to verify binary downloads, merely decrypting local files, mostly text.
Addressing the digest makes OpenSSL compatible across versions?
Quote:
Originally Posted by Kenhelm
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The workaround is to add the option -md md5 to the new SHA256 version when decrypting old MD5 data.
Curious, I am not trying to verify binary downloads, merely decrypting local files, mostly text.
Addressing the digest makes OpenSSL compatible across versions?
They just changed some (or just one) defaults. So you need to specify those.
I was actually going to post something very similar to what Kenhelm posted.
Try it out and see.
My command probably did not fail because it specified so much, not relying on defaults.
And yes, I would expect openssh to be fully backwards compatible with itself. Half the internet relies on it, and the other half is malware.
They just changed some (or just one) defaults. So you need to specify those.
I was actually going to post something very similar to what Kenhelm posted.
Try it out and see.
My command probably did not fail because it specified so much, not relying on defaults.
And yes, I would expect openssh to be fully backwards compatible with itself. Half the internet relies on it, and the other half is malware.
I can understand pretty much anything explained without assumptions, but I am not a programmer so everything beyond my use is esoteric to me.
To my experience that OpenSSL encryption is not compatible between versions I think you're stating that there's greater compatibility with digests, but I wouldn't know how to put that to practice.
You got decryption errors in Arch but the text printed.
In my original experience it was all ascii jibberish with no warning text. In my first test there's warning but no deciphered text.
If there are arguments/options to add at en/de-cryption I would use them for version compatibility.
I can understand pretty much anything explained without assumptions, but I am not a programmer
man pages are not written for programmers, they are written for users like you and me. I suggest you do. Half the help you get here on LQ comes from somebody else reading man pages for you.
Quote:
everything beyond my use is esoteric to me.
Quite the statement: "I deliberately choose to stay ignorant about things that do not concern me directly."
Quote:
To my experience that OpenSSL encryption is not compatible between versions I think you're stating that there's greater compatibility with digests
I did not say that at all.
I said a) openSSH is backwards compatible and b) if a default option changed across versions then you need to specify it on the command line to ensure that.
Somebody in this thread already made a web search for you and provided you with a link with many interesting answers & explanations.
I would say: treat this gift with the respect it deserves, and go read it - but alas, you already told us that you prefer ignorance.
Quote:
You got decryption errors in Arch
Wrong again. A warning is not an error.
You should really work on your reading comprehension, it seems half the time you mis-interprete what was written.
Quote:
If there are arguments/options to add at en/de-cryption I would use them for version compatibility.
I don't know you from man-x and what you're writing is really a drag.
It's not about personalized attacks because you're projecting your bad feelings about someone else or you don't like someone because they're not gratifying to you or feeding your insecurities.
If you don't like what I write and ignore it, and I don't care. If you're full of unwarranted criticism, the problem is yours.
Quote:
Originally Posted by ondoho
man pages are not written for programmers, they are written for users like you and me. I suggest you do. Half the help you get here on LQ comes from somebody else reading man pages for you.
Quite the statement: "I deliberately choose to stay ignorant about things that do not concern me directly."
I did not say that at all.
I said a) openSSH is backwards compatible and b) if a default option changed across versions then you need to specify it on the command line to ensure that.
Somebody in this thread already made a web search for you and provided you with a link with many interesting answers & explanations.
I would say: treat this gift with the respect it deserves, and go read it - but alas, you already told us that you prefer ignorance.
Wrong again. A warning is not an error.
You should really work on your reading comprehension, it seems half the time you mis-interprete what was written.
I don't know you from man-x and what you're writing is really a drag.
It's not about personalized attacks because you're projecting your bad feelings about someone else or you don't like someone because they're not gratifying to you or feeding your insecurities.
If you don't like what I write and ignore it, and I don't care. If you're full of unwarranted criticism, the problem is yours.
Don't worry, we already knew that you're that kind of person:
You show disregard to both the products and the concept of opensource in general.
You continuously ignore advice to read documentation and prefer to somehow blame the software instead.
And you show the same disregard and yes entitlement to the help offered here to answer your questions.
But when someone replies in the same manner and calls you out on these things you start shouting abuse.
Your last reply is much closer to a personal attack than any of mine was.
Don't worry, we already knew that you're that kind of person:
You show disregard to both the products and the concept of opensource in general. You continuously ignore advice to read documentation and prefer to somehow blame the software instead. And you show the same disregard and yes entitlement to the help offered here to answer your questions. But when someone replies in the same manner and calls you out on these things you start shouting abuse. Your last reply is much closer to a personal attack than any of mine was.
OP, there is *NOTHING* stopping you from reading the documentation or man pages, especially when you're told that that's all it will take for things to work for you. You don't need to be a 'programmer' or expert to do so. As with others here, I also cannot replicate what you're claiming.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.