Use pbkdf2 for backup key derivation
Fixes a warning thrown by OpenSSL during backup runs, and makes it more secure.
This commit is contained in:
parent
c30733e5aa
commit
f7afc21f9e
|
@ -12,4 +12,10 @@ The S3 credentials as well as the backup password are stored in the
|
|||
|
||||
To decrypt a backup archive, use the following command:
|
||||
|
||||
openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
|
||||
|
||||
If you get an error message along the lines of "bad decrypt", the archive was
|
||||
likely encrypted before we switched the key derivation scheme. Try without
|
||||
`-pbkdf2` in this case:
|
||||
|
||||
openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar
|
||||
|
|
|
@ -6,6 +6,18 @@
|
|||
# Documentation: http://backup.github.io/backup
|
||||
# Issue Tracker: https://github.com/backup/backup/issues
|
||||
|
||||
#
|
||||
# Monkey patch to not use deprecated key derivation scheme
|
||||
# https://github.com/backup/backup/issues/949#issuecomment-589883577
|
||||
#
|
||||
module OpenSSLFixDeprecatedKeyDerivation
|
||||
def options
|
||||
super + ' -pbkdf2'
|
||||
end
|
||||
end
|
||||
require 'backup/encryptor/open_ssl'
|
||||
Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)
|
||||
|
||||
Storage::S3.defaults do |s3|
|
||||
s3.access_key_id = "<%= @s3_access_key_id %>"
|
||||
s3.secret_access_key = "<%= @s3_secret_access_key %>"
|
||||
|
|
Loading…
Reference in New Issue