lock command does not work on macOS

[rupkoe]

Running encpass.sh lock on macOS aborts with following error:

Enter Password to lock keys:
Confirm Password:
Locking key bucket1...
usage: enc -ciphername [-AadePp] [-base64] [-bufsize number] [-debug]
    [-in file] [-iv IV] [-K key] [-k password]
    [-kfile file] [-md digest] [-none] [-nopad] [-nosalt]
    [-out file] [-pass arg] [-S salt] [-salt]

 -A                 Process base64 data on one line (requires -a)
 -a                 Perform base64 encoding/decoding (alias -base64)
 -bufsize size      Specify the buffer size to use for I/O
 -d                 Decrypt the input data
 -debug             Print debugging information
 -e                 Encrypt the input data (default)
 -in file           Input file to read from (default stdin)
 -iv IV             IV to use, specified as a hexadecimal string
 -K key             Key to use, specified as a hexadecimal string
 -md digest         Digest to use to create a key from the passphrase
 -none              Use NULL cipher (no encryption or decryption)
 -nopad             Disable standard block padding
 -out file          Output file to write to (default stdout)
 -P                 Print out the salt, key and IV used, then exit
                      (no encryption or decryption is performed)
 -p                 Print out the salt, key and IV used
 -pass source       Password source
 -S salt            Salt to use, specified as a hexadecimal string
 -salt              Use a salt in the key derivation routines (default)
 -v                 Verbose

Valid ciphername values:

 -aes-128-cbc              -aes-128-cbc-hmac-sha1    -aes-128-cfb             
 -aes-128-cfb1             -aes-128-cfb8             -aes-128-ctr             
 -aes-128-ecb              -aes-128-gcm              -aes-128-ofb             
 -aes-128-xts              -aes-192-cbc              -aes-192-cfb             
 -aes-192-cfb1             -aes-192-cfb8             -aes-192-ctr             
 -aes-192-ecb              -aes-192-gcm              -aes-192-ofb             
 -aes-256-cbc              -aes-256-cbc-hmac-sha1    -aes-256-cfb             
 -aes-256-cfb1             -aes-256-cfb8             -aes-256-ctr             
 -aes-256-ecb              -aes-256-gcm              -aes-256-ofb             
 -aes-256-xts              -aes128                   -aes192                  
 -aes256                   -bf                       -bf-cbc                  
 -bf-cfb                   -bf-ecb                   -bf-ofb                  
 -blowfish                 -camellia-128-cbc         -camellia-128-cfb        
 -camellia-128-cfb1        -camellia-128-cfb8        -camellia-128-ecb        
 -camellia-128-ofb         -camellia-192-cbc         -camellia-192-cfb        
 -camellia-192-cfb1        -camellia-192-cfb8        -camellia-192-ecb        
 -camellia-192-ofb         -camellia-256-cbc         -camellia-256-cfb        
 -camellia-256-cfb1        -camellia-256-cfb8        -camellia-256-ecb        
 -camellia-256-ofb         -camellia128              -camellia192             
 -camellia256              -cast                     -cast-cbc                
 -cast5-cbc                -cast5-cfb                -cast5-ecb               
 -cast5-ofb                -chacha                   -des                     
 -des-cbc                  -des-cfb                  -des-cfb1                
 -des-cfb8                 -des-ecb                  -des-ede                 
 -des-ede-cbc              -des-ede-cfb              -des-ede-ofb             
 -des-ede3                 -des-ede3-cbc             -des-ede3-cfb            
 -des-ede3-cfb1            -des-ede3-cfb8            -des-ede3-ofb            
 -des-ofb                  -des3                     -desx                    
 -desx-cbc                 -gost89                   -gost89-cnt              
 -gost89-ecb               -id-aes128-GCM            -id-aes192-GCM           
 -id-aes256-GCM            -rc2                      -rc2-40-cbc              
 -rc2-64-cbc               -rc2-cbc                  -rc2-cfb                 
 -rc2-ecb                  -rc2-ofb                  -rc4                     
 -rc4-40                   -rc4-hmac-md5            
Error: The key fle and/or lock file were not found as expected for key bucket1.
Locked 0 keys.

[ahnick]

Thanks for reporting this. I don't normally use MacOS, but I thought at one point I had tested this and locking had worked. I went back and looked at the "openssl enc" command and it looks like on MacOS the default openssl does not support setting the pseudorandom function pbkdf2 to use 10,000 iterations to more securely encrypt the key file. I'll need to review this further to see why this is and if there is an alternative way to set this on MacOS.

In the meantime, as a workaround you can get this to work by changing the line

openssl enc -aes-256-cbc -pbkdf2 -iter 10000 -salt -in "$ENCPASS_KEY_F/private.key" -out "$ENCPASS_KEY_F/private.lock" -pass file:"$fifo"

to

openssl enc -aes-256-cbc -salt -in "$ENCPASS_KEY_F/private.key" -out "$ENCPASS_KEY_F/private.lock" -pass file:"$fifo"

for both the encpass_cmd_lock() and encpass_cmd_unlock() functions. Notice what we've done is remove the "-pbkdf2 -iter 10000" parameters that "openssl enc" seems to not recognize. These are also used on the encpass_cmd_export() and encpass_cmd_import() functions as well, so likely they will need to be updated too for this workaround.

[rupkoe]

Thank you for the lightning-fast reply. I can confirm that lock/unlock does work with the suggested workaround.

Anyway this made me curious about the default openssl on macOS, which turns out to be LibreSSL 2.8.3.
So I tried openssl 1.1, which can be installed via Homebrew: turns out openssl 1.1 accepts the new improved crypto settings.

So maybe this could be a workaround for mac users:

# Get openssl via HomeBrew
brew install openssl 

# Create alias to replace libressl with openssl only for encpass.sh
alias encpass.sh="export PATH=\"/usr/local/opt/openssl@1.1/bin:$PATH\" ; encpass.sh"

[ahnick]

Great! Thanks for the confirmation and the info on the default openssl implementation on MacOS. Ideally I'd like encpass.sh to work directly with whatever the default is, but I'm not sure that it will be possible if there is not a good way to do this on LibreSSL. If that ends up being the case I may make an extension that could be loaded for Mac users if they want to use LibreSSL, but then also add to the README to use your documented steps of installing openssl via homebrew to get the normal implementation working.

[crowedavid]

for reference, macOS Ventura now includes LibreSSL 3.3.6 which includes pbkdf2 so this works out of the box now (except for the help option).

[ahnick]

Great, thanks for the update David! I am now working on a MacBook, but am running an older 12.1 version atm. As soon as I update the OS and confirm it is working I will close out this issue. I'm going to look at merging in your PR too for the mandoc version update for the help.