Use pbkdf2 for backup key derivation

Fixes a warning thrown by OpenSSL during backup runs, and makes it more secure.
2021-11-30 13:38:34 -06:00 · 2021-11-30 13:38:34 -06:00 · f7afc21f9e
parent c30733e5aa
commit f7afc21f9e
2 changed files with 18 additions and 0 deletions
--- a/doc/backups.md
+++ b/doc/backups.md
@ -12,4 +12,10 @@ The S3 credentials as well as the backup password are stored in the

 To decrypt a backup archive, use the following command:

+    openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar
+
+If you get an error message along the lines of "bad decrypt", the archive was
+likely encrypted before we switched the key derivation scheme. Try without
+`-pbkdf2` in this case:
+
    openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar
--- a/site-cookbooks/backup/templates/default/config.rb.erb
+++ b/site-cookbooks/backup/templates/default/config.rb.erb
@ -6,6 +6,18 @@
 # Documentation: http://backup.github.io/backup
 # Issue Tracker: https://github.com/backup/backup/issues

+#
+# Monkey patch to not use deprecated key derivation scheme
+# https://github.com/backup/backup/issues/949#issuecomment-589883577
+#
+module OpenSSLFixDeprecatedKeyDerivation
+  def options
+    super + ' -pbkdf2'
+  end
+end
+require 'backup/encryptor/open_ssl'
+Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation)
+
 Storage::S3.defaults do |s3|
  s3.access_key_id     = "<%= @s3_access_key_id %>"
  s3.secret_access_key = "<%= @s3_secret_access_key %>"