Fossil

Check-in [0e1cc786bb]
Login

Check-in [0e1cc786bb]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Updated the macOS / OpenSSL 1.0 bits of the backup doc's encryption section to cover the latest situation under Big Sur.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 0e1cc786bba5d57cf868838c9ebcc6e2864e69c3a18fe2d82ad169ad5b157c3b
User & Date: wyoung 2021-02-26 06:51:23.163
Context
2021-02-26
07:05
Tightened up the new reason #5 for "why set up a server". ... (check-in: 50a0e024fb user: wyoung tags: trunk)
06:51
Updated the macOS / OpenSSL 1.0 bits of the backup doc's encryption section to cover the latest situation under Big Sur. ... (check-in: 0e1cc786bb user: wyoung tags: trunk)
06:23
Added a link to the backups doc from the "benefits of a server" doc, fixed a few more grammar problems, and fixed a few URLs in prior commits. ... (check-in: 4f9c6210cd user: wyoung tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to www/backup.md. 
229
230
231
232
233
234
235
236

237




238

239
240


241
242

243
244
245
246
247
248
249

security-thru-obscurity, which is useless on its own, but it *is* a
useful adjunct to strong encryption.

This requires OpenSSL 1.1 or higher. If you’re on 1.0 or older, you
won’t have the `-pbkdf2` and `-iter` options, and you may have to choose
a different cipher algorithm; both changes are likely to weaken the
encryption significantly, so you should install a newer version rather
than work around the lack of these features. If you’re on macOS, which

still ships 1.0 as of the time of this writing, [Homebrew][hb] offers




the current version of OpenSSL, but to avoid a conflict with the platform

version, it’s [unlinked][hbul] by default, so you have to give an explicit
path to its “cellar” directory:



       /usr/local/Cellar/openssl\@1.1/1.1.1g/bin/openssl ...



## <a id="rest"></a> Restoring From An Encrypted Backup

The “restore” script for the above fragment is basically an inverse of
it, but it’s worth showing it because there are some subtleties to take
care of. If all variables defined in earlier scripts are available, then








|
>
|
>
>
>
>
|
>
|
|
>
>

<
>








229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

250
251
252
253
254
255
256
257

security-thru-obscurity, which is useless on its own, but it *is* a
useful adjunct to strong encryption.

This requires OpenSSL 1.1 or higher. If you’re on 1.0 or older, you
won’t have the `-pbkdf2` and `-iter` options, and you may have to choose
a different cipher algorithm; both changes are likely to weaken the
encryption significantly, so you should install a newer version rather
than work around the lack of these features.

At the time of this writing — 2021.02.26 — macOS 11 (BigSur) ships an
outdated fork of OpenSSL 1.0 called [LibreSSL][lssl] that lacks this
capability. Until Apple redresses this lack, we recommend use of the
[Homebrew][hb] OpenSSL package rather than give up on the security
afforded by use of configurable-iteration PBKDF2 in OpenSSL 1.1 and up,
later backported to LibreSSL 2.9.1 and up. To avoid a conflict with the
platform version, Homebrew’s installation is [unlinked][hbul] by
default, so you have to give an explicit path to it, one of:

       /usr/local/opt/openssl/bin/openssl ...     # Intel x86 Macs
       /opt/homebrew/opt/openssl/bin/openssl ...  # ARM Macs (“Apple silicon”)


[lssl]: https://www.libressl.org/


## <a id="rest"></a> Restoring From An Encrypted Backup

The “restore” script for the above fragment is basically an inverse of
it, but it’s worth showing it because there are some subtleties to take
care of. If all variables defined in earlier scripts are available, then