Project

General

Profile

Actions

Todo #12556

closed

Comply with current iteration standards when encrypting and decrypting configuration files

Added by Phil Wardt about 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Backup / Restore
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

I pushed a commit since this should be really and easy enhancement:
https://github.com/pfsense/pfsense/pull/4545

OpenSSL currently defaults to 10'000 iterations, which is by far a low security standard that was acceptable before 2010.
Nowadays, even on entry level hardware, a count of 100'000 is the minimal.

The impact on import/export of config files is marginal for such an occasional task.

Storing the config file online with an iteration count of only 10'000 is really questionable.
Sure, even a 1'000'000 iterations count won't compensate for a weak password, but going with at least 100'000 is a minimum recommendation for a firewall


Files


Related issues

Related to Regression #12897: Attempting to decrypt an encrypted backup with the wrong password makes the GUI timeoutResolvedJim Pingle

Actions
Actions

Also available in: Atom PDF