lock command does not work on macOS about encpass.sh HOT 5 OPEN

Thank you for the lightning-fast reply. I can confirm that lock/unlock does work with the suggested workaround.

Anyway this made me curious about the default openssl on macOS, which turns out to be LibreSSL 2.8.3.
So I tried openssl 1.1, which can be installed via Homebrew: turns out openssl 1.1 accepts the new improved crypto settings.

So maybe this could be a workaround for mac users:

# Get openssl via HomeBrew
brew install openssl 

# Create alias to replace libressl with openssl only for encpass.sh
alias encpass.sh="export PATH=\"/usr/local/opt/[email protected]/bin:$PATH\" ; encpass.sh"

from encpass.sh.

Thanks for reporting this. I don't normally use MacOS, but I thought at one point I had tested this and locking had worked. I went back and looked at the "openssl enc" command and it looks like on MacOS the default openssl does not support setting the pseudorandom function pbkdf2 to use 10,000 iterations to more securely encrypt the key file. I'll need to review this further to see why this is and if there is an alternative way to set this on MacOS.

In the meantime, as a workaround you can get this to work by changing the line

openssl enc -aes-256-cbc -pbkdf2 -iter 10000 -salt -in "$ENCPASS_KEY_F/private.key" -out "$ENCPASS_KEY_F/private.lock" -pass file:"$fifo"

to

openssl enc -aes-256-cbc -salt -in "$ENCPASS_KEY_F/private.key" -out "$ENCPASS_KEY_F/private.lock" -pass file:"$fifo"

for both the encpass_cmd_lock() and encpass_cmd_unlock() functions. Notice what we've done is remove the "-pbkdf2 -iter 10000" parameters that "openssl enc" seems to not recognize. These are also used on the encpass_cmd_export() and encpass_cmd_import() functions as well, so likely they will need to be updated too for this workaround.

from encpass.sh.

Great! Thanks for the confirmation and the info on the default openssl implementation on MacOS. Ideally I'd like encpass.sh to work directly with whatever the default is, but I'm not sure that it will be possible if there is not a good way to do this on LibreSSL. If that ends up being the case I may make an extension that could be loaded for Mac users if they want to use LibreSSL, but then also add to the README to use your documented steps of installing openssl via homebrew to get the normal implementation working.

from encpass.sh.

for reference, macOS Ventura now includes LibreSSL 3.3.6 which includes pbkdf2 so this works out of the box now (except for the help option).

from encpass.sh.

Great, thanks for the update David! I am now working on a MacBook, but am running an older 12.1 version atm. As soon as I update the OS and confirm it is working I will close out this issue. I'm going to look at merging in your PR too for the mandoc version update for the help.

from encpass.sh.