Unable to decrypt text files with openssl on Ubuntu 18.04
Solution 1
The password based encryption algorithm used in openssl changed from MD5 in version 1.0.2 (shipped with Ubuntu 16.04) to SHA256 in version 1.1.0 (Ubuntu 18.04). For that reason, any files encrypted on Ubuntu 16.04 fail to be decrypted on Ubuntu 18.04. The solution is to install the previous version of openssl, decrypt the files and encryt them back again with the newer version. Step by step:
Start by downloading the older version of openssl (this is the amd64 build, for other builds check packages.ubuntu.com):
wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.2g-1ubuntu13.6_amd64.deb
Now install the package directly with dpkg, this will disable the newer version:
$ sudo dpkg -i openssl_1.0.2g-1ubuntu13.6_amd64.deb
Make sure you got the right version:
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016 (Library: OpenSSL 1.0.2n 7 Dec 2017)
And now decrypt the file:
$ openssl des3 -d < secret.des3 > secret.txt
Then install the latest openssl build, apt is an option:
$ sudo apt install openssl
Making sure it is the latest version:
$ openssl version
OpenSSL 1.1.0g 2 Nov 2017
And then encrypt the file again with the latest version:
$ openssl des3 < secret.txt > secret.des3
Finally remove the .deb file downloaded in the begining:
$ rm openssl_1.0.2g-1ubuntu13.6_amd64.deb
Solution 2
For files which are already encrypted, you can use the md option to force the old md5 password method.
This fixed my issue with files encrypted with 1.0.2 with aes-256-cbc which would not decrypt on 18.04 (openssl 1.1.0+).
My previous decrypt:
cat encfile | openssl enc -d -aes-256-cbc -base64 >plainfile
My new decrypt on 18.04:
cat encfile | openssl enc -md md5 -d -aes-256-cbc -base64 >plainfile
Note:
This will not work with files encrypted on 18.04 (openssl 1.1.0g+) as those will have used the newer SHA password method by default as Luis de Sousa notes.
References:
https://askubuntu.com/a/1067765/873241 (Luis de Sousa's answer)
https://bugzilla.redhat.com/show_bug.cgi?id=1520084
https://github.com/fastlane/fastlane/issues/9542
Related videos on Youtube
16 : 04
24 : 11
08 : 26
02 : 50
07 : 11
Luís de Sousa
Member of the PyWPS Project Steering Committee; Charter Member of the OSGeo Foundation. Unix/Linux user since 1996. Experiencing Ubuntu since 2007, using it as main OS at home and office since 2009. Check my projects at Codeberg. More about what I do is in my personal web site. Follow me at Mastodon.
Updated on September 18, 2022Comments
-
Luís de Sousa over 1 year
I am unable to decrypt a number of text files I encrypted with
opensslon Ubuntu 16.04. I always get this error message:$ openssl des3 -d < ~/ISRIC/credentials.txt.des3.old > ~/temp/credentials.txt.old.2 enter des-ede3-cbc decryption password: bad decrypt 139771261990464:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:I am pretty sure the password is correct. What is the problem?
-
N0rbert over 5 yearsDo not forget to pin (lock) old OpenSSL version to prevent its upgrading. -
untill over 5 yearsCheck out unix.stackexchange.com/questions/448459/…. It might work with the latest openssl and the -md md5 option.
-
Mark over 4 yearsDowngrading the version was the solution for me! If you're comfortable with Docker, it may be easier to usedocker run -vhost_dir:/data -it ubuntu:xenial bashand decrypt from inside the container. -
Mark over 4 yearsThis pointed me in the right direction (version differences). But for some reason
-mdwasn't enough, I needed a fully downgraded version.
