encpass.sh
encpass.sh copied to clipboard
plyint
lock command does not work on macOS
Running encpass.sh lock on macOS aborts with following error:
Enter Password to lock keys:
Confirm Password:
Locking key bucket1...
usage: enc -ciphername [-AadePp] [-base64] [-bufsize number] [-debug]
[-in file] [-iv IV] [-K key] [-k password]
[-kfile file] [-md digest] [-none] [-nopad] [-nosalt]
[-out file] [-pass arg] [-S salt] [-salt]
-A Process base64 data on one line (requires -a)
-a Perform base64 encoding/decoding (alias -base64)
-bufsize size Specify the buffer size to use for I/O
-d Decrypt the input data
-debug Print debugging information
-e Encrypt the input data (default)
-in file Input file to read from (default stdin)
-iv IV IV to use, specified as a hexadecimal string
-K key Key to use, specified as a hexadecimal string
-md digest Digest to use to create a key from the passphrase
-none Use NULL cipher (no encryption or decryption)
-nopad Disable standard block padding
-out file Output file to write to (default stdout)
-P Print out the salt, key and IV used, then exit
(no encryption or decryption is performed)
-p Print out the salt, key and IV used
-pass source Password source
-S salt Salt to use, specified as a hexadecimal string
-salt Use a salt in the key derivation routines (default)
-v Verbose
Valid ciphername values:
-aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cfb
-aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr
-aes-128-ecb -aes-128-gcm -aes-128-ofb
-aes-128-xts -aes-192-cbc -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
-aes-192-ecb -aes-192-gcm -aes-192-ofb
-aes-256-cbc -aes-256-cbc-hmac-sha1 -aes-256-cfb
-aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr
-aes-256-ecb -aes-256-gcm -aes-256-ofb
-aes-256-xts -aes128 -aes192
-aes256 -bf -bf-cbc
-bf-cfb -bf-ecb -bf-ofb
-blowfish -camellia-128-cbc -camellia-128-cfb
-camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb
-camellia-128-ofb -camellia-192-cbc -camellia-192-cfb
-camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb
-camellia-192-ofb -camellia-256-cbc -camellia-256-cfb
-camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb
-camellia-256-ofb -camellia128 -camellia192
-camellia256 -cast -cast-cbc
-cast5-cbc -cast5-cfb -cast5-ecb
-cast5-ofb -chacha -des
-des-cbc -des-cfb -des-cfb1
-des-cfb8 -des-ecb -des-ede
-des-ede-cbc -des-ede-cfb -des-ede-ofb
-des-ede3 -des-ede3-cbc -des-ede3-cfb
-des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb
-des-ofb -des3 -desx
-desx-cbc -gost89 -gost89-cnt
-gost89-ecb -id-aes128-GCM -id-aes192-GCM
-id-aes256-GCM -rc2 -rc2-40-cbc
-rc2-64-cbc -rc2-cbc -rc2-cfb
-rc2-ecb -rc2-ofb -rc4
-rc4-40 -rc4-hmac-md5
Error: The key fle and/or lock file were not found as expected for key bucket1.
Locked 0 keys.
Thanks for reporting this. I don't normally use MacOS, but I thought at one point I had tested this and locking had worked. I went back and looked at the "openssl enc" command and it looks like on MacOS the default openssl does not support setting the pseudorandom function pbkdf2 to use 10,000 iterations to more securely encrypt the key file. I'll need to review this further to see why this is and if there is an alternative way to set this on MacOS.
In the meantime, as a workaround you can get this to work by changing the line
openssl enc -aes-256-cbc -pbkdf2 -iter 10000 -salt -in "$ENCPASS_KEY_F/private.key" -out "$ENCPASS_KEY_F/private.lock" -pass file:"$fifo"
to
openssl enc -aes-256-cbc -salt -in "$ENCPASS_KEY_F/private.key" -out "$ENCPASS_KEY_F/private.lock" -pass file:"$fifo"
for both the encpass_cmd_lock() and encpass_cmd_unlock() functions. Notice what we've done is remove the "-pbkdf2 -iter 10000" parameters that "openssl enc" seems to not recognize. These are also used on the encpass_cmd_export() and encpass_cmd_import() functions as well, so likely they will need to be updated too for this workaround.
Thank you for the lightning-fast reply. I can confirm that lock/unlock does work with the suggested workaround.
Anyway this made me curious about the default openssl on macOS, which turns out to be LibreSSL 2.8.3. So I tried openssl 1.1, which can be installed via Homebrew: turns out openssl 1.1 accepts the new improved crypto settings.
So maybe this could be a workaround for mac users:
# Get openssl via HomeBrew
brew install openssl
# Create alias to replace libressl with openssl only for encpass.sh
alias encpass.sh="export PATH=\"/usr/local/opt/[email protected]/bin:$PATH\" ; encpass.sh"
Great! Thanks for the confirmation and the info on the default openssl implementation on MacOS. Ideally I'd like encpass.sh to work directly with whatever the default is, but I'm not sure that it will be possible if there is not a good way to do this on LibreSSL. If that ends up being the case I may make an extension that could be loaded for Mac users if they want to use LibreSSL, but then also add to the README to use your documented steps of installing openssl via homebrew to get the normal implementation working.