Open jwatt opened 3 years ago
@jwatt I had the same problem. macOS's version in /usr/bin
lacks support for -pbkdf2
and -iter
.
Homebrew's version does support these options, but it's not enabled by default (at least on my system).
To enable Homebrew's version to be used instead of macOS's /usr/bin
version, type:
yadm config openssl-program /usr/local/opt/openssl/bin/openssl
or to enable it globally:
export PATH=/usr/local/opt/openssl/bin:$PATH
or better yet, add this line to your shell's startup script.
After I wrote this answer, I found a post that confirmed my findings here.
Note: if you instead set yadm.openssl-old
to true
, you will need to do that on all your systems. I.e., both where you yadm encrypt
and where you yadm decrypt
, as the decryption will fail if the setting is different between systems.
Thanks, @rasa! I was sure I'd had Homebrew symlink its openssl into /usr/local/bin
some time ago, but apparently that wasn't the case. So I was indeed mistakenly using the LibreSSL 2.8.3 shipped by Apple.
Digging through the release notes for LibreSSL it looks like -pbkdf2
was added in 2.9.1. That's also mentioned in mailing list. I don't see any mention of -iter
either in the mailing list or in the github issues, though. So unfortunately I guess that doesn't provide enough information for yadm's docs to be updated to mention a specific version of LibreSSL that people can check for.
Maybe the docs could say something along the lines of "The version of LibreSSL that ships with macOS does not support -iter
. In fact, as of this writing, neither does the latest version of LibreSSL (3.3.1). macOS users can obtain a compatible version of openssl
using Homebrew or similar, and should use openssl version
to check they're using that openssl and not LibreSSL."? ... or something like that.
I made a decision not to do automatic version tests to pick options because a single set of dotfiles often span multiple systems which may have different OpenSSL implementations.
The user needs to set the option that will work with all of their systems. yadm can't know that from running on just one of their systems.
I'm guessing some documentation specifically about Mac homebrew could be helpful.
This issue has been labeled as stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.
I've been playing around with the encryption support and found that the 'openssl' encryption appears to be broken on macOS with Homebrew's openssl installed. More specifically I got:
Homebrew tells me that
openssl@1.1 1.1.1i
is installed which appears to be the latest stable release. Despite that, settingyadm.openssl-old
totrue
appears to fix things and the encryption then works. Since openssl is not out of date, perhaps this is an issue with Homebrew compiling openssl without some needed features? In any case, it's probably worth noting in the docs that macOS users may need to setyadm.openssl-old
.