We have to find a way to decrypt files produced in an older server using openssl version 1.0.2k in a upgraded server using openssl version 1.1.1c. We have several operational servers still using version 1.0.2k so we can't just upgrade everyone to the new version. All this came about during a required update of our software on newer servers to centos 8 from the older centos 7. Centos 8 uses 1.1.1c and centos 7 uses 1.0.2k.
In version 1.0.2k the command used to encrypt is:
tar -cz files.tar.gz | openssl enc -aes-256-cbc -e > secured.tar.gz.enc
In version 1.1.1c to decrypt the file I have tried:
openssl enc -d -aes-256-cbc -md md5 -pbkdf2 -iter 1000000 -in secured.tar.gz.enc > test.tar.gz
I get the error:
bad decrypt
<numbers....>:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:crypto/evp/evp_enc.c:603:
From the information here it states that the error can be due to version 1.0.2k using md5 by default and version 1.1.1c using sha256. Thus using -md md5
.
If I don't use -pbkdf2 -iter 1000000
I get the error:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
I have double checked the password and it is correct. Not sure what else could be the problem.
-pbkdf2 -iter 1000000
section? I have updated the question with the reason why we can't just update all servers to the newer version.-pbkdf2 -iter 1000000
performs 1,000,000 iterations of the pbkdf2 to decrypt the file. If the encryption process had not also performed the same number of iterations of pbkdf2 on the file then the end result of the blob of data wouldn't be correct. It still would be extremely helpful to know, if you can run the command you suspect is correct, on the original (source) server?-pbkdf2
and-iter
options unless they have also been used in the equivalent encryption command - unfortunately OpenSSL 1.0.2k does not support them.-pbkdf2 -iter 1000000
parameters works on the older server. This works:openssl enc -d -aes-256-cbc -md md5 -in secured.tar.gz.enc > test.tar.gz
. I tried it on the new server without the argument and although it comes up with the warning it worked. Do you want to post the solution or should I?