Fossil SCM
Updated the macOS / OpenSSL 1.0 bits of the backup doc's encryption section to cover the latest situation under Big Sur.
Commit
0e1cc786bba5d57cf868838c9ebcc6e2864e69c3a18fe2d82ad169ad5b157c3b
Parent
4f9c6210cd940cb…
1 file changed
+14
-6
+14
-6
| --- www/backup.md | ||
| +++ www/backup.md | ||
| @@ -231,17 +231,25 @@ | ||
| 231 | 231 | |
| 232 | 232 | This requires OpenSSL 1.1 or higher. If you’re on 1.0 or older, you |
| 233 | 233 | won’t have the `-pbkdf2` and `-iter` options, and you may have to choose |
| 234 | 234 | a different cipher algorithm; both changes are likely to weaken the |
| 235 | 235 | encryption significantly, so you should install a newer version rather |
| 236 | -than work around the lack of these features. If you’re on macOS, which | |
| 237 | -still ships 1.0 as of the time of this writing, [Homebrew][hb] offers | |
| 238 | -the current version of OpenSSL, but to avoid a conflict with the platform | |
| 239 | -version, it’s [unlinked][hbul] by default, so you have to give an explicit | |
| 240 | -path to its “cellar” directory: | |
| 236 | +than work around the lack of these features. | |
| 237 | + | |
| 238 | +At the time of this writing — 2021.02.26 — macOS 11 (BigSur) ships an | |
| 239 | +outdated fork of OpenSSL 1.0 called [LibreSSL][lssl] that lacks this | |
| 240 | +capability. Until Apple redresses this lack, we recommend use of the | |
| 241 | +[Homebrew][hb] OpenSSL package rather than give up on the security | |
| 242 | +afforded by use of configurable-iteration PBKDF2 in OpenSSL 1.1 and up, | |
| 243 | +later backported to LibreSSL 2.9.1 and up. To avoid a conflict with the | |
| 244 | +platform version, Homebrew’s installation is [unlinked][hbul] by | |
| 245 | +default, so you have to give an explicit path to it, one of: | |
| 246 | + | |
| 247 | + /usr/local/opt/openssl/bin/openssl ... # Intel x86 Macs | |
| 248 | + /opt/homebrew/opt/openssl/bin/openssl ... # ARM Macs (“Apple silicon”) | |
| 241 | 249 | |
| 242 | - /usr/local/Cellar/openssl\@1.1/1.1.1g/bin/openssl ... | |
| 250 | +[lssl]: https://www.libressl.org/ | |
| 243 | 251 | |
| 244 | 252 | |
| 245 | 253 | ## <a id="rest"></a> Restoring From An Encrypted Backup |
| 246 | 254 | |
| 247 | 255 | The “restore” script for the above fragment is basically an inverse of |
| 248 | 256 |
| --- www/backup.md | |
| +++ www/backup.md | |
| @@ -231,17 +231,25 @@ | |
| 231 | |
| 232 | This requires OpenSSL 1.1 or higher. If you’re on 1.0 or older, you |
| 233 | won’t have the `-pbkdf2` and `-iter` options, and you may have to choose |
| 234 | a different cipher algorithm; both changes are likely to weaken the |
| 235 | encryption significantly, so you should install a newer version rather |
| 236 | than work around the lack of these features. If you’re on macOS, which |
| 237 | still ships 1.0 as of the time of this writing, [Homebrew][hb] offers |
| 238 | the current version of OpenSSL, but to avoid a conflict with the platform |
| 239 | version, it’s [unlinked][hbul] by default, so you have to give an explicit |
| 240 | path to its “cellar” directory: |
| 241 | |
| 242 | /usr/local/Cellar/openssl\@1.1/1.1.1g/bin/openssl ... |
| 243 | |
| 244 | |
| 245 | ## <a id="rest"></a> Restoring From An Encrypted Backup |
| 246 | |
| 247 | The “restore” script for the above fragment is basically an inverse of |
| 248 |
| --- www/backup.md | |
| +++ www/backup.md | |
| @@ -231,17 +231,25 @@ | |
| 231 | |
| 232 | This requires OpenSSL 1.1 or higher. If you’re on 1.0 or older, you |
| 233 | won’t have the `-pbkdf2` and `-iter` options, and you may have to choose |
| 234 | a different cipher algorithm; both changes are likely to weaken the |
| 235 | encryption significantly, so you should install a newer version rather |
| 236 | than work around the lack of these features. |
| 237 | |
| 238 | At the time of this writing — 2021.02.26 — macOS 11 (BigSur) ships an |
| 239 | outdated fork of OpenSSL 1.0 called [LibreSSL][lssl] that lacks this |
| 240 | capability. Until Apple redresses this lack, we recommend use of the |
| 241 | [Homebrew][hb] OpenSSL package rather than give up on the security |
| 242 | afforded by use of configurable-iteration PBKDF2 in OpenSSL 1.1 and up, |
| 243 | later backported to LibreSSL 2.9.1 and up. To avoid a conflict with the |
| 244 | platform version, Homebrew’s installation is [unlinked][hbul] by |
| 245 | default, so you have to give an explicit path to it, one of: |
| 246 | |
| 247 | /usr/local/opt/openssl/bin/openssl ... # Intel x86 Macs |
| 248 | /opt/homebrew/opt/openssl/bin/openssl ... # ARM Macs (“Apple silicon”) |
| 249 | |
| 250 | [lssl]: https://www.libressl.org/ |
| 251 | |
| 252 | |
| 253 | ## <a id="rest"></a> Restoring From An Encrypted Backup |
| 254 | |
| 255 | The “restore” script for the above fragment is basically an inverse of |
| 256 |