AutoMySQLBackup备份配置了加密选项过后,它会将数据库的备份文件加密。测试解密这些加密的备份文件时遇到错误(密钥做了脱敏处理)。 其中加密的密钥是正确的,但是每次都会提示下面错误信息: *** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140587404826432:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:643: 这里加密和解密都位于同一台服务器上,所以openssl的版本都是一样的,不会因为openssl版本导致这类问题,openssl的具体版本信息如下所示: 看了一下AutoMySQLBackup的加密文件的代码,如下所示,它使用openssl进行加密。 具体加密的代码如下所示 这里使用对称加密,它使用了参数-pbkdf2和-iter。 这两个参数的介绍如下所示: 这里使用迭代次数和pbkdf2的算法来增加安全性,所以解密的时候,也必须使用上面两个参数,否则就会报错,测试如下,所以遇到这个错误,是因为解密时我们没有使用正确的参数导致。执行使用下面命令就能正确解压加密文件了。$ openssl enc -aes-256-cbc -d -in daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz.enc \
> -out daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz -pass pass:********
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140587404826432:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:643:$ openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021# @info: This function is called after data has already been saved. It performs encryption and
# hardlink-copying of files to a latest folder.
# @return: flags
# @deps: load_default_config
files_postprocessing () {
local flags
let "flags=0x00"
let "flags_files_postprocessing_success_encrypt=0x01"
# -> CONFIG_encrypt
[[ "${CONFIG_encrypt}" = "yes" && "${CONFIG_encrypt_password}" ]] && {
if (( $CONFIG_dryrun )); then
printf 'dry-running: openssl enc -aes-256-cbc -pbkdf2 -iter 1000 -e -in %s -out %s.enc -pass pass:%s\n' ${1} ${1} "${CONFIG_encrypt_password}"
else
openssl enc -aes-256-cbc -pbkdf2 -iter 1000 -e -in ${1} -out ${1}.enc -pass pass:"${CONFIG_encrypt_password}"
if (( $? == 0 )); then
if rm ${1} 2>&1; then
echo "Successfully encrypted archive as ${1}.enc"
let "flags |= $flags_files_postprocessing_success_encrypt"
else
echo "Successfully encrypted archive as ${1}.enc, but could not remove cleartext file ${1}."
let "E |= $E_enc_cleartext_delfailed"
fi
else
let "E |= $E_enc_failed"
fi
fi
}
# <- CONFIG_encrypt
# -> CONFIG_mysql_dump_latest
[[ "${CONFIG_mysql_dump_latest}" = "yes" ]] && {
if (( $flags & $flags_files_postprocessing_success_encrypt )); then
if (( $CONFIG_dryrun )); then
printf 'dry-running: cp -al %s.enc %s/latest/\n' "${1}" "${CONFIG_backup_dir}"
else
cp -al "${1}.enc" "${CONFIG_backup_dir}"/latest/
fi
else
if (( $CONFIG_dryrun )); then
printf 'dry-running: cp -al %s %s/latest/\n' "${1}" "${CONFIG_backup_dir}"
else
cp -al "${1}" "${CONFIG_backup_dir}"/latest/
fi
fi
}
# <- CONFIG_mysql_dump_latest
return $flags
}openssl enc -aes-256-cbc -pbkdf2 -iter 1000 -e -in ${1} -out ${1}.enc -pass pass:"${CONFIG_encrypt_password}"
-iter +int Specify the iteration count and force use of PBKDF2
-pbkdf2 Use password-based key derivation function 2$ openssl enc -aes-256-cbc -d -in daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz.enc \
> -out daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz -pbkdf2 -iter 1000 -pass pass:*****
$ ls
daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz.enc