Warning: Error in : OpenSSL error in EVP_DecryptFinal_ex: bad decrypt

[adamtaiti]

Hello all,

I'm struggling with this bad decrypt error. It seems that when I set my database's key it does not go to the global enviroment and I get this error. I'm trying to do so in an ubuntu server using shiny-server.

Any ideas on this issue? Any help would be greatly appreciated!

[adamtaiti]

Here is an example code...

First I set th database:

user = c("shiny", "shinymanager"),
password = c("azerty", "12345"),
admin = c(FALSE, TRUE),
stringsAsFactors = FALSE
)

library(keyring)
key_set("R-shinymanager-key", "obiwankenobi")

library(shinymanager)

create_db(
   credentials_data = credentials,
   sqlite_path = "credentials.sqlite", # will be created
   passphrase = key_get("R-shinymanager-key", "obiwankenobi")
)

Then I run the app

library(shiny)
library(shinymanager)
library(keyring)

ui <- fluidPage(
  tags$h2("My secure application"),
  verbatimTextOutput("auth_output")
)

# Wrap your UI with secure_app, enabled admin mode or not
ui <- secure_app(ui, enable_admin = TRUE)
server <- function(input, output, session) {

  # check_credentials directly on sqlite db
  res_auth <- secure_server(
    check_credentials = check_credentials(
      "credentials.sqlite",
      passphrase = key_get("R-shinymanager-key", "obiwankenobi")
      # passphrase = "passphrase_wihtout_keyring"
    )
  )

  output$auth_output <- renderPrint({
    reactiveValuesToList(res_auth)
  })
}

shinyApp(ui, server)

The files are located on /srv/shiny-server/shinymanagerApp

Bellow the log file of a run

_Listening on http://127.0.0.1:37940 Warning in default_backend_auto() : Selecting ‘env’ backend. Secrets are stored in environment variables Warning: Error in b_envget: Cannot find password 72: observeEventHandler 1: runApp

[tcwilkinson]

Am suffering from the same errors... (transferring from RStudio to Shiny Server seems to have done this). Did you ever solve this?

[bthieurmel]

Hi,

Do you set the key key_set("R-shinymanager-key", "obiwankenobi") on same machine you deploy the app using shiny-server ?

[plorch]

I suspect the OP got the error because the keyring method of passing in passphrase requires you to enter your keyring password, which generally requires a GUI. When you test this on your desk/laptop, you get a window to input a password. I guess shinymanager saves this (locally?) to provide when you try to run the check_credentials with this

...
   res_auth <- secure_server(
    check_credentials = check_credentials(
        "path/to/database.sqlite",
        passphrase = key_get("R-shinymanager-key", "obiwankenobi")
        # passphrase = "passphrase_wihtout_keyring"
    )
  )
...

I suspect that the second example in ?key_set that uses key_set_with_value is what is needed for running on server. I found some information on the keyring gitHub here: https://github.com/r-lib/keyring/issues/77

If I am wrong on this, I would love to know how to make it work.

[plorch]

I have been getting this same error when I do not use key_set/key_get. So when I specify the passphrase as text in the create_db step, the .sqlite db gets created. When I then pass the passphrase directly as text I get the error in the OP subject. For a reprex, you could comment/uncomment the passphrase lines in the example code.

[plorch]

On the Mac, the error I was getting when setting the passphrase with a character string was due to a version missmatch between my R (3.6.2) and what shinymanger was compiled with (4.0.3). Updating R produced a smaller .sqlite db and fixed the issue. Posting in hopes it helps someone else.

[plorch]

On windows I get the OP subject error no mater what I do.

[pvictor]

keyring was just an example on how you can store secret, there are other methods such as environment variables, you can read more here : https://cran.r-project.org/web/packages/httr/vignettes/secrets.html

On Linux server, you need to install libsecret otherwise you can only store keys in environment variables of the R session. And you can set a key without the interactive prompt with:

keyring::key_set_with_value("R-shinymanager-key", username = "obiwankenobi", password = "123")

[plorch]

Thanks @pvictor. I did install libsecret, but then discovered that keyring::key_set_with_value requires there to be an unlocked keyring for that method of setting the key to work. I cannot see how to do that on our shiny server without a GUI.

I had looked at Hadley's httr vignette. One thing of note about the security of this method is "These environment variables will be available in every running R process, and can easily be read by any other program on your computer to access that file directly."

For now I think we will use a secrets file that is .gitignored. Our app needs to access database tables, and we have to have login credentials stored for that as well, and we had been using a secrets filefor this purpose. I cannot see an advantage over this method of adding environment variables to .Renviron (the only way to have secrets stored as environment variables persist across sessions).

[plorch]

On windows I get the OP subject error no mater what I do.

I wanted to follow up on this message. I realized that on Windows only, I get the OP subject error along with another error when I delete the .sqlite db file without restarting R. When I recreate the db and I launch the app again, the two errors occur no matter what I do. I think that the db is still running unless you quit R. I can tell this because if you don't restart R, delete the db file, create a new one, and restart the app, there is another file visible in rstudio files window with name databaseName.journal. This does not happen on Mac.