Use pbkdf2 for backup key derivation

Fixes a warning thrown by OpenSSL during backup runs, and makes it more secure.
2021-11-30 13:38:34 -06:00
parent c30733e5aa
commit f7afc21f9e
2 changed files with 18 additions and 0 deletions
--- a/doc/backups.md
+++ b/doc/backups.md
@@ -12,4 +12,10 @@ The S3 credentials as well as the backup password are stored in the

 To decrypt a backup archive, use the following command:

+    openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
+
+If you get an error message along the lines of "bad decrypt", the archive was
+likely encrypted before we switched the key derivation scheme. Try without
+`-pbkdf2` in this case:
+
    openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar