Unable to decrypyt files restored from Glacier

[lehrblogger]

Background: I'm using my QNAP TS-251 primarily as a backup device for the two Macs in my household. Each uses Carbon Copy Cloner to back itself up to a sparsebundle on the NAS, and then I'm using the Glacier app on the NAS to make an off-site copy of the sparsebundles to separate Vaults with client side encryption enabled.

A backup system is only helpful if one can restore successfully, however, so I've been trying to test that. I'm using on OS X app called Freeze to download the inventory and then the files that make up the sparsebundle. I know I need to then decrypt the files using:

Code: Select all

openssl enc -d -aes-256-cbc -k %password% -in %encrypted_file% -out %decrypted_file%

But then I get the following error:

Code: Select all

bad decrypt
39428:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.40.2/src/crypto/evp/evp_enc.c:330:

I googled around a bit and learned that the error might have something to do with padding. Specifying the -nopad option to openssl makes the decrypt command think that it was successful, but the files are not actually decrypted properly. It's possible that I'm using the wrong password to decrypt the files, but I use a password manager, so it's unlikely. I've been testing with the sparsebundle's Info.plist file, which should be human-readable when decrypted. I have a few questions:

1. What does the bad decrypt error mean in the first attempt?
2. Is it possible to inspect the password the Glacier app is using to encrypt the files? I have full access to the NAS, and presumably it has the password saved somewhere since it's using it to encrypt the files. Perhaps I did record the wrong password, or perhaps the password I chose was too long (at 32 characters), or some of the special characters were not saved properly.
3. Anything else I should try? Otherwise I might just give up on client side encryption and rely instead on encryption of the sparsebundle disk images themselves.

Thanks!

[rjspring]

Did you ever get an answer to this?

[lehrblogger]

@rjspring no, I did not. Are you seeing the same issue?

I'm in the process now of testing the last option I suggested – encrypting the sparsebundle disk image itself, rather than the individual bands – and I'll try to remember to post an update afterward.

[ivanrajkovic]

If you have still this issue, the problem is in the different version od openssl (1.0.2 and 1.1).

https://bbs.archlinux.org/viewtopic.php?id=225863

just add:
-md md5
to the command line to work.

[lehrblogger]

@ivanrajkovic, thanks for the reply! I've moved on to a different backup setup, but it's good to keep in mind for the future or for others who come across this