Encryption/Decryption & OpenSSL

When following instructions for exporting secrets with encryption on an AlmaLinux 8/9 VM, I get the following error (sample is from AlmaLinux 9):

[root@vaultbak01 medusa]# cat /etc/redhat-release
AlmaLinux release 9.2 (Turquoise Kodkod)
[root@vaultbak01 medusa]# rpm -q openssl
openssl-3.0.7-17.el9_2.x86_64
[root@vaultbak01 medusa]# openssl genrsa -out private-key.pem 4096
[root@vaultbak01 medusa]# openssl rsa -in private-key.pem -pubout -out public-key.pem
writing RSA key
[root@vaultbak01 medusa]# ./medusa export jmdarr --encrypt="true" --public-key="public-key.pem" --output="encrypted-vault-secrets.txt"
[root@vaultbak01 medusa]# cat encrypted-vault-secrets.txt
Hn3OtVsGrwDBM9mR+jd3805duK/AROO... (snipped)
[root@vaultbak01 medusa]# ./medusa import jmdarr encrypted-vault-secrets.txt --decrypt="true" --private-key="private-key.pem"
2023/10/02 19:39:30 ERROR: fail get idrsa, x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)
[root@vaultbak01 medusa]# head -n 5 public-key.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+UcM9jEREg1feAZplNX1
f0l3H5x0RlMYFmdNOah9TLTaAzAzyJBijJAn/CdX7DcDFpxu+CKH7IH/U2vNd38D
2Q6maNHhZxdPSoTiLvXU7G/ZsDWHfhvjLaZ2O+RNQMyiaNMZY+p0k1UiTTilZmp8
VMFhyRtnw+raMVHU0lb+9glknCZvmkIITLxOyxF20aGpLxuu2rJ7lFBo+55tcK5n
[root@vaultbak01 medusa]# head -n 5 private-key.pem
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQD5Rwz2MRESDV94
BmmU1fV/SXcfnHRGUxgWZ005qH1MtNoDMDPIkGKMkCf8J1fsNwMWnG74Iofsgf9T
a813fwPZDqZo0eFnF09KhOIu9dTsb9mwNYd+G+MtpnY75E1AzKJo0xlj6nSTVSJN
OKVmanxUwWHJG2fD6toxUdTSVv72CWScJm+aQghMvE7LEXbRoakvG67asnuUUGj7

I was surprised at the error, and given that I didn't find a large number of issues with this problem, decided to try an older OS/openssl version. When following instructions for exporting secrets with encryption on a CentOS 7 VM:

[root@vaultbak03 medusa]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@vaultbak03 medusa]# rpm -q openssl
openssl-1.0.2k-26.el7_9.x86_64
[root@vaultbak03 medusa]# openssl genrsa -out private-key.pem 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................................................++
.....................................................................++
e is 65537 (0x10001)
[root@vaultbak03 medusa]# openssl rsa -in private-key.pem -pubout -out public-key.pem
writing RSA key
[root@vaultbak03 medusa]# ./medusa export jmdarr --encrypt="true" --public-key="public-key.pem" --output="encrypted-vault-secrets.txt"
[root@vaultbak03 medusa]# cat encrypted-vault-secrets.txt
alyJc7XEWRpdr7XSXiLOHPoPv1K2vDkn... (snipped)
[root@vaultbak03 medusa]# ./medusa import jmdarr encrypted-vault-secrets.txt --decrypt="true" --private-key="private-key.pem"
Secret successfully written to Vault [127.0.0.1:8081] using path [/test_secret]
[root@vaultbak03 medusa]# head -n 5 public-key.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuvGp2w5sn/5kwUCwGFhv
013HfDZ5eOrSXvNK9xGQwpHnXNmw+DzofKws3H0Xcb+kBea3olkh4CYzzDyHVHJy
zTQe0nqVoS+GapOGwT2UBeuYlUivYWA3oGicM6TwDyZeJ0EPyPdHZ4+OFnz4QDAy
5zp4/Kl9+BsFK5JvJPwLZni47TfTZcENYQ6Pz9bnmEBVYbMMbAzUv8P0i0L5AP0R
[root@vaultbak03 medusa]# head -n 5 private-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAuvGp2w5sn/5kwUCwGFhv013HfDZ5eOrSXvNK9xGQwpHnXNmw
+DzofKws3H0Xcb+kBea3olkh4CYzzDyHVHJyzTQe0nqVoS+GapOGwT2UBeuYlUiv
YWA3oGicM6TwDyZeJ0EPyPdHZ4+OFnz4QDAy5zp4/Kl9+BsFK5JvJPwLZni47TfT
ZcENYQ6Pz9bnmEBVYbMMbAzUv8P0i0L5AP0RGpNiNZWVSgQakkWKQ1JGFkcXLEWT

I attempted to adjust the headers manually, which of course did not work. It appears that the current version doesn't want to work with the openssl-generated RSA keys per the README.

jonasvinther / medusa

Encryption/Decryption & OpenSSL #140