5

I am unable to decrypt a number of text files I encrypted with openssl on Ubuntu 16.04. I always get this error message:

$ openssl des3 -d < ~/ISRIC/credentials.txt.des3.old > ~/temp/credentials.txt.old.2
enter des-ede3-cbc decryption password:
bad decrypt
139771261990464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:

I am pretty sure the password is correct. What is the problem?

Luís de Sousa
  • 13,227
  • 26
  • 81
  • 128

3 Answers3

9

For files which are already encrypted, you can use the md option to force the old md5 password method.

This fixed my issue with files encrypted with 1.0.2 with aes-256-cbc which would not decrypt on 18.04 (openssl 1.1.0+).

My previous decrypt:

cat encfile | openssl enc -d -aes-256-cbc -base64 >plainfile

My new decrypt on 18.04:

cat encfile | openssl enc -md md5 -d -aes-256-cbc -base64 >plainfile

Note:
This will not work with files encrypted on 18.04 (openssl 1.1.0g+) as those will have used the newer SHA password method by default as Luis de Sousa notes.

References:
https://askubuntu.com/a/1067765/873241 (Luis de Sousa's answer)
https://bugzilla.redhat.com/show_bug.cgi?id=1520084
https://github.com/fastlane/fastlane/issues/9542

zx485
  • 2,426
Neale Rudd - Metawerx Java
  • 91
  • This pointed me in the right direction (version differences). But for some reason -md wasn't enough, I needed a fully downgraded version. – Mark Jan 12 '20 at 22:17
3

The password based encryption algorithm used in openssl changed from MD5 in version 1.0.2 (shipped with Ubuntu 16.04) to SHA256 in version 1.1.0 (Ubuntu 18.04). For that reason, any files encrypted on Ubuntu 16.04 fail to be decrypted on Ubuntu 18.04. The solution is to install the previous version of openssl, decrypt the files and encryt them back again with the newer version. Step by step:

Start by downloading the older version of openssl (this is the amd64 build, for other builds check packages.ubuntu.com):

wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.2g-1ubuntu13.6_amd64.deb

Now install the package directly with dpkg, this will disable the newer version:

$ sudo dpkg -i openssl_1.0.2g-1ubuntu13.6_amd64.deb

Make sure you got the right version:

$ openssl version
OpenSSL 1.0.2g  1 Mar 2016 (Library: OpenSSL 1.0.2n  7 Dec 2017)

And now decrypt the file:

$ openssl des3 -d < secret.des3 > secret.txt

Then install the latest openssl build, apt is an option:

$ sudo apt install openssl

Making sure it is the latest version:

$ openssl version
OpenSSL 1.1.0g  2 Nov 2017

And then encrypt the file again with the latest version:

$ openssl des3 < secret.txt > secret.des3

Finally remove the .deb file downloaded in the begining:

$ rm openssl_1.0.2g-1ubuntu13.6_amd64.deb
Luís de Sousa
  • 13,227
  • 26
  • 81
  • 128
  • Do not forget to pin (lock) old OpenSSL version to prevent its upgrading. – N0rbert Aug 22 '18 at 07:45
  • Check out https://unix.stackexchange.com/questions/448459/on-ubuntu-18-04-openssl-1-1-0g-cant-decrypt-files-even-with-md5. It might work with the latest openssl and the -md md5 option. – untill Sep 10 '18 at 20:50
  • Downgrading the version was the solution for me! If you're comfortable with Docker, it may be easier to use docker run -vhost_dir:/data -it ubuntu:xenial bash and decrypt from inside the container. – Mark Jan 12 '20 at 22:16
0

The other answer is essentially correct. though other things have changed around these versions (v1.1.0 and v1.1.1) that is good to be aware of.

First the default password hashing digest has changed, going from md5 to sha512

And second the addition the "-pbkdf2" "-iter" which has been needed for a long time. However the default iteration count is far too low, and should be set as high as possible without becoming too annoying. Big enough to take 1/2 second is generally acceptable for both encrypting and decrypting, but makes it very very difficult for brute forced password guessing.

The problem is now we have all these new options and defaults, as well as different digests and cyphers, you need to remember all these options do you can decrypt the encrypted file. That is whatever options was decided on to encrypt must be used to decrypt. However openssl only stores some 'file magic' (EG "Salted__" at the start of the file, and the random "salt" that was used, with the encrypted file. It leaves it up to you to remember everything else!

Aespipe is a old program that got around this by saving some of this information as a extra header to the encrypted data, but it is now becomming dated, and its format does not allow for the new options, or for easy expansion.

As a alternative I have been creating a new script "keepout" as a wrapper around "openssl enc" to save those extra options that is needed to remember how to decrypt that specific file, even as newer options, cyphers, or larger iterations are used when encrypting. Basically it saves the openssl option needed with the data.

https://antofthy.gitlab.io/software/#keepout

anthony
  • 334