Can't get backups decrypted (manually)

[Paul K]

I've got a strange issue that I just can't wrap my head around. I let DirectAdmin create backups with encryption enabled, but I am just unable to get the backups decrypted. I've tried to debug a lot but I'm currently stuck.

I use 24 character generated passwords. In /usr/local/directadmin/data/admin/backup.conf I can view the (base64) encoded version of the password - so the password seem to be stored correctly.

After the backup is encrypted and uploaded (FTP), I download the backup and upload it again to the server. Here I run the decrypt script:

/usr/local/directadmin/scripts/decrypt_file.sh /root/user.admin.xxxx.tar.gz.enc /root/user.admin.xxxx.tar.gz /tmp/key.txt

In the key.txt I've entered the exact same password.

This gives me the following error:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140099618064192:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:crypto/evp/evp_enc.c:632:

A further attempt to figure out the issue, I modified the encrypt_file.sh script to write the key directly to key.txt to make sure that the exact same key is used for encrypting and decrypting, and that it's not some other kind of mixup.

cat ${P} > /tmp/key.key

This still leads to the same error.

I see that the encrypt_file script executes the following command:

${OPENSSL} enc -e -aes-256-cbc -md sha256 -salt -in $F -out $E -kfile ${P} 2>&1

and that the decrypt_file script executes the following command:

RESULT=`${OPENSSL} enc -d -aes-256-cbc -md sha256 -salt -in $E -out $O -kfile ${P} 2>&1`

Does anyone run into the same issues?

 

[Richard G]

Does anyone run into the same issues?

No but I did a search on the internet and this gave me the first result and explanation as to why this is/could be happening.

It also gives a solution, however, I ofcourse can't guarantee that it won't say your backups are currupted if you try it.

https://askubuntu.com/questions/1093591/how-should-i-change-encryption-according-to-warning-deprecated-key-derivat

But I think this link might point you to a solution.

 

[Paul K]

As a followup for anyone that comes across this post. In my case it appears that the destination host (for some reason) corrupts the files. In my case this is/was Strato HiDrive. It didn't matter if I encased the encrypted file into a tar again, the file always got corrupted somehow.

I didn't have the resources to dig any deeper so now I'm using a local backup followed by an upload through rsync, which does work.