OpenSSL – Using -iter or -pbkdf2 for Decrypting Files

encryptionopenssl

Today I got this warning issued by OpenSSL in Cygwin after updating some packages, I believe openssl was included:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

The OpenSSL version used in Cygwin was:

OpenSSL 1.1.1b  26 Feb 2019

This happened while decrypting my Backup on BluRay, which I created on Linux Mint 19.1, where the OpenSSL version is significantly older:

OpenSSL 1.1.0g  2 Nov 2017

The command used to encrypt and decrypt (just add -d to the end) was:

$ openssl enc -aes-256-cbc -md sha256 -salt -in "${InputFilePath}" -out "${OutputFilePath}"

What does this warning mean and can I do anything to avoid it in the future backups?

Best Answer

Comparing the Synopsys of the two main and recent versions of OpenSSL, let me quote the man pages.

OpenSSL 1.1.0

openssl enc -ciphername [-help] [-ciphers] [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md digest] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]

OpenSSL 1.1.1

openssl enc -cipher [-help] [-ciphers] [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a] [-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md digest] [-iter count] [-pbkdf2] [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-rand file...] [-writerand file] [-engine id]

There obviously are some greater differences, namely considering this question, there are these two switches missing in the 1.1.0:

pbkdf2
iter

You have basically two options now. Either ignore the warning or adjust your encryption command to something like:

openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -in InputFilePath -out OutputFilePath

Where these switches:

-aes-256-cbc is what you should use for maximum protection or the 128-bit version, the 3DES (Triple DES) got abandoned some time ago, see Triple DES has been deprecated by NIST in 2017, while AES gets accelerated by all modern CPUs by a lot; you can simply verify if your CPU has the AES-NI instruction set for example using grep aes /proc/cpuinfo; win, win
-md sha512 is the faster variant of SHA-2 functions family compared to SHA-256 while it might be a bit more secure; win, win
-pbkdf2: use PBKDF2 (Password-Based Key Derivation Function 2) algorithm
-iter 100000 is overriding the default count of iterations for the password, quoting the man page:

Use a given number of iterations on the password in deriving the encryption key. High values increase the time required to brute-force the resulting file. This option enables the use of PBKDF2 algorithm to derive the key.

Related Solutions

Linux – Using key file as password with OpenSSL

Add -pass file:nameofkeyfile to the OpenSSL command line. This causes OpenSSL to read the password/passphrase from the named file, but otherwise proceed normally.

For more details, see the man page for openssl(1) (man 1 openssl) and particularly its section "PASS PHRASE ARGUMENTS", and the man page for enc(1) (man 1 enc).

If the key file actually holds the encryption key (not something from which to derive the encryption key), then you want to use -K instead. For that, you need something like:

-K $(hexdump -v -e '/1 "%02X"' < nameofkeyfile)

in the OpenSSL command line instead of -pass. hexdump is used to transform the key file to the pure hexadecimal representation that OpenSSL wants.

Decrypting a file encrypted on a different system

AES-CBC-256 fully specifies an encryption algorithm and a decryption algorithm. Given a plaintext, a key and an IV, two implementations of AES-256-CBC encryption will produce the same ciphertext. Given a ciphertext, a key and an IV, two implementations of AES-256-CBC will produce the same plaintext.

The IV is a random string that is generated when you encrypt a messsage. If you encrypt the same data twice, you'll get different ciphertexts because the IV will be different. This is in part so that someone who can only see two ciphertexts with the same length cannot detect whether the ciphertexts are equal. Most tools prepend the IV to the ciphertext, so that all the data needed for decryption is in one place (except the key, of course).

The OpenSSL command line tool generates a file containing a 16-byte header, the IV, and the ciphertext. This format is specific to OpenSSL but does not depend on the platform.

OpenSSL's command line is intended more as a demo of the possibilities of the library than a production-grade command line tool. I don't recommend using it, it's too easy to make a mistake and either end up with non-recoverable data or insecure data. Also OpenSSL won't help you with key management.

Instead, use a tool that is intended to encrypt file. GPG is designed for this purpose. Generate a key pair, and then encrypt files with gpg -e your-gpg-id@example.com /path/to/file.