AutoMySQLBackup加密備份解密問題淺析

潇湘隐者發表於2024-05-14
MySql加密解密

AutoMySQLBackup備份配置了加密選項過後,它會將資料庫的備份檔案加密。測試解密這些加密的備份檔案時遇到錯誤(金鑰做了脫敏處理)。

$ openssl enc -aes-256-cbc -d -in  daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz.enc \
>   -out daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz -pass pass:********
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140587404826432:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:643:

其中加密的金鑰是正確的,但是每次都會提示下面錯誤資訊:

*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt 140587404826432:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:643:

這裡加密和解密都位於同一臺伺服器上,所以openssl的版本都是一樣的,不會因為openssl版本導致這類問題,openssl的具體版本資訊如下所示:

$ openssl version
OpenSSL 1.1.1k  FIPS 25 Mar 2021

看了一下AutoMySQLBackup的加密檔案的程式碼,如下所示,它使用openssl進行加密。

# @info: This function is called after data has already been saved. It performs encryption and
#   hardlink-copying of files to a latest folder.
# @return: flags
# @deps: load_default_config
files_postprocessing () {
 local flags
 let "flags=0x00"
 let "flags_files_postprocessing_success_encrypt=0x01"

 # -> CONFIG_encrypt
 [[ "${CONFIG_encrypt}" = "yes" && "${CONFIG_encrypt_password}" ]] && {
   if (( $CONFIG_dryrun )); then
     printf 'dry-running: openssl enc -aes-256-cbc -pbkdf2 -iter 1000 -e -in %s -out %s.enc -pass pass:%s\n' ${1} ${1} "${CONFIG_encrypt_password}"
   else
     openssl enc -aes-256-cbc -pbkdf2 -iter 1000 -e -in ${1} -out ${1}.enc -pass pass:"${CONFIG_encrypt_password}"
     if (( $? == 0 )); then
    if rm ${1} 2>&1; then
      echo "Successfully encrypted archive as ${1}.enc"
      let "flags |= $flags_files_postprocessing_success_encrypt"
    else
      echo "Successfully encrypted archive as ${1}.enc, but could not remove cleartext file ${1}."
      let "E |= $E_enc_cleartext_delfailed"
    fi
     else
    let "E |= $E_enc_failed"
     fi
   fi
 }
 # <- CONFIG_encrypt

 # -> CONFIG_mysql_dump_latest
 [[ "${CONFIG_mysql_dump_latest}" = "yes" ]] && {
   if (( $flags & $flags_files_postprocessing_success_encrypt )); then
  if (( $CONFIG_dryrun )); then
    printf 'dry-running: cp -al %s.enc %s/latest/\n' "${1}" "${CONFIG_backup_dir}"
  else
    cp -al "${1}.enc" "${CONFIG_backup_dir}"/latest/
  fi
   else
  if (( $CONFIG_dryrun )); then
    printf 'dry-running: cp -al %s %s/latest/\n' "${1}" "${CONFIG_backup_dir}"
  else
    cp -al "${1}" "${CONFIG_backup_dir}"/latest/
  fi
   fi
 }
 # <- CONFIG_mysql_dump_latest

 return $flags
}

具體加密的程式碼如下所示

openssl enc -aes-256-cbc -pbkdf2 -iter 1000 -e -in ${1} -out ${1}.enc -pass pass:"${CONFIG_encrypt_password}"

這裡使用對稱加密,它使用了引數-pbkdf2和-iter。 這兩個引數的介紹如下所示:

-iter +int          Specify the iteration count and force use of PBKDF2
-pbkdf2             Use password-based key derivation function 2

這裡使用迭代次數和pbkdf2的演算法來增加安全性,所以解密的時候,也必須使用上面兩個引數,否則就會報錯,測試如下,所以遇到這個錯誤,是因為解密時我們沒有使用正確的引數導致。執行使用下面命令就能正確解壓加密檔案了。

$ openssl enc -aes-256-cbc -d -in  daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz.enc \
>   -out daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz -pbkdf2 -iter 1000 -pass pass:*****
$ ls
daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz  daily_mysql_2024-05-14_09h09m_Tuesday.sql.gz.enc

相關文章