229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
|
security-thru-obscurity, which is useless on its own, but it *is* a
useful adjunct to strong encryption.
This requires OpenSSL 1.1 or higher. If you’re on 1.0 or older, you
won’t have the `-pbkdf2` and `-iter` options, and you may have to choose
a different cipher algorithm; both changes are likely to weaken the
encryption significantly, so you should install a newer version rather
than work around the lack of these features. If you’re on macOS, which
still ships 1.0 as of the time of this writing, [Homebrew][hb] offers
the current version of OpenSSL, but to avoid a conflict with the platform
version, it’s [unlinked][hbul] by default, so you have to give an explicit
path to its “cellar” directory:
than work around the lack of these features.
At the time of this writing — 2021.02.26 — macOS 11 (BigSur) ships an
outdated fork of OpenSSL 1.0 called [LibreSSL][lssl] that lacks this
capability. Until Apple redresses this lack, we recommend use of the
[Homebrew][hb] OpenSSL package rather than give up on the security
afforded by use of configurable-iteration PBKDF2 in OpenSSL 1.1 and up,
later backported to LibreSSL 2.9.1 and up. To avoid a conflict with the
platform version, Homebrew’s installation is [unlinked][hbul] by
default, so you have to give an explicit path to it, one of:
/usr/local/opt/openssl/bin/openssl ... # Intel x86 Macs
/opt/homebrew/opt/openssl/bin/openssl ... # ARM Macs (“Apple silicon”)
/usr/local/Cellar/openssl\@1.1/1.1.1g/bin/openssl ...
|