Home > Net >  Openssl passin throws "Bad password read"
Openssl passin throws "Bad password read"

Time:04-26

Trying to encrypt a file & make executable using openssl. Found an interesting link that was suitable to my problem with one issue. which is "I had to pass the password used for encryption in openssl command" which is resulting error.

Create Write your script (script-base.sh)

#!/bin/sh 
echo "Hello World"

Encrypt your script (give a password): foobar is my password

openssl enc -e -aes-256-cbc -a -in script-base.sh > script-enc

Write de Wrapper (script-final.sh):

#!/bin/sh 
openssl enc -d -aes-256-cbc -a -in script-enc | sh -passin pass:foobar

Running "script-final.sh" I see following error in console

enter aes-256-cbc decryption password: bad password read

Though the following code works but its deprecated

openssl enc -d -aes-256-cbc -a -in script-enc -k foobar | sh -

when used the following error is thrown

*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt

CodePudding user response:

... works but [] deprecated: openssl enc -d -aes-256-cbc -a -in script-enc -k foobar | sh -

In that case you give -k foobar as an option to the openssl enc -d command, so it is used as the password to decrypt, which succeeds since you did in fact encrypt using foobar as the password (and the same cipher and default KDF). See below about deprecation.

openssl enc -d -aes-256-cbc -a -in script-enc | sh -passin pass:foobar [gives]
enter aes-256-cbc decryption password: bad password read

Here you didn't give -passin pass:foobar as an option to openssl, you gave it as an option to the shell that is the second component of the pipeline. Since you didn't give the password as an argument to openssl and it is needed, openssl prompted you to input it, but you didn't give valid input (perhaps entering control-D or similar) so it failed. If you did instead

openssl enc -d -aes-256-cbc -a -in script-enc -passin pass:foobar | sh

it would work exactly the same as the -k version, except for taking more space in your script.

It is indeed true that the key-derivation long used (and still default) by openssl enc is very poor and weak and has been widely criticized for decades; OpenSSL 1.1.1 (released 2018, after the date of the answer you link to) and up finally offers a better method with -pbkdf2 and warns about using the old one. However, you should pay attention to this warning on the encrypt side rather than decrypt; once you've encrypted with the poor method, you must use it to decrypt (and suffer the warning). Also note, as I commented at that link, OpenSSL 1.1.x (and 3.0) are incompatible with earlier versions, so if any system(s) you or anyone (like your users if any) want this to work on are running older software it will fail.

Alternatively, consider using something that was properly designed in the first place, such as GPG which was recommended in the answer by Gilles on that same question (well over a year earlier). Although GPG, depending on the version, makes it less convenient to provide the password on the commandline because that usually allows it to be compromised -- but in your case you are already compromising it yourself, so GPG's attempt to give you security is wasted.

Page link:https//www.codepudding.com/net/385018.html

Prev:How to get first word from each line in file into a variable, curl it and append the output to a new
Next:How to write a for loop to read in excel files into Python
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding