Resolving 'WARNING : deprecated key derivation used.' #203
Description
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
This should close ticket:
Might also close:
- hex string is too short, padding with zero bytes to length *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. #59
- original post of yadm — Initialization with imported key failing ( Issues with yadm 2/2) #190
I have two possible fixes for this issue
Option 1
alt1_test_pbkdf2() {
local pbkdf2=""
echo "test" | openssl enc -aes-256-cbc -pbkdf2 -pass pass:test -nosalt -out /dev/null 2>/dev/null
if [[ $? -eq 0 ]]; then
pbkdf2="-pbkdf2"
fi
echo "${pbkdf2}"
}
option 2
alt2_test_pbkdf2() {
local pbkdf2=""
if openssl enc -help 2>&1 | grep -q -- '-pbkdf2'; then
pbkdf2="-pbkdf2"
fi
echo "${pbkdf2}"
}
Then in every "openssl enc" line (I counted 4) add "${pbkdf2}" to the line. I hard coded this after the -md MD5 check.
💡 Note: BTW, IMHO this seems like a 'weaker' algorithm and maybe should be SHA256 (or SHA512/B2), also note that the default appears to be SHA256 (sha-256 according to the man page). Sorry just a mention
option 2 seems cleaner, but the enc -h | grep is odd. But your call
I've attached my test script which shows failures is "-pbkdf2" is not available (they fail calling -pbkdf3)