On Thu, Sep 26, 2024 at 07:46:59PM +0200, 'David von Oheimb' via openssl-users wrote: > On 26.09.24 02:42, Robert Moskowitz wrote: > > openssl pkey -in testprv.pem -aes128 -out testoprv.pem > > > > And with the command line, you cannot overwrite the in file. I tried. :) > > This is due to a pretty silly oversight: > for no good reason, the tool opens the output file before reading the input > file, truncating it to zero length. > Took less than a minute to detect and fix: > https://github.com/openssl/openssl/pull/25552 Frankly, though the proposed on Github new code reads the key into memory before truncating the input/output file, this usage pattern is unsafe. If the program or the OS crashes before the output is committed to persistent storage, the key is lost. It could be argued that OpenSSL could instead refuse to use the same file for both input and output, thereby discouraging modes of operation that cannot be made safely atomic. Writing the output to a *new* file file is less liable to lose the key. If the key is freshly minted, and does not need to be retained unless encrypted successfully, then it should be *generated* already encrypted, without writing the unecrypted key to persistent storage. - Use a generation method that encrypts in one step. $ openssl genpkey -algorithm ed25519 -aes-128-cbc - Generate the key into a pipe with the pipe reader doing the encryption. $ openssl genpkey -algorithm ed25519 | openssl pkey -aes-128-cbc -- Viktor. -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/Zvf81_XeDDXUGCQy%40chardros.imrryr.org.
