1

I am Salesforce developer but new to the Security World as well as Linux. We encrypted a file with Key and initialization Vector in Salesforce(only symmetric encryption is possible in Salesforce). No we are working with partner team to decrypt the same in their linux system using gpg and OpenSSL. But we were not able to.

Note : The Key and Vector we are using are in Hexadecimal. and the Algorithm we have used to encrypt is AES128.

GPG approach:

GPG seems to need the Passphrase which does not seem to be the key i've used for encrypting.Would it be possible to decrypt the file with just Key and IV in gpg at all?

OpenSSL approach:

We are also trying to explore OpenSSL if GPG does not work in our case. I have received the below command from the Salesforce product support but that does not work either. i got the response as bad decryption.

OpenSSL> enc -aes-128-cbc -d -a -nosalt -in C:\Testfiles\input.txt.enc -out C:\Testfiles\output.txt -K mywhateverkey -iv mywhateveriv

can the Experts of openssl or GPG shed some light?

Improve this question
2
  • Are you trying to decrypt an existing file that's already been encrypted, or are you trying to figure out the right way to encrypt and decrypt a new file?
    – Jonathan
    CommentedAug 29, 2019 at 0:10
  • @Jonathan we started with finding the right way to encrypt a file in Salesforce with options provided by Salesforce and decrypt the same in Linux machine. Then The product support team suggested to use the key + IV method. So we have used that encryption method and now trying to decrypt the same. Here are supported method by Salesforce. If anything sounds better and safer option to encrypt and that is also compatible to be decrypted in Linux please suggest. developer.salesforce.com/docs/atlas.en-us.apexcode.meta/…
    – Bahu SF
    CommentedAug 29, 2019 at 2:35

1 Answer 1

Reset to default
0

First of all, GPG has its own message format. Unless this is what is produced you won't be able to use it for decryption.

Openssl should be the better option for you. According to the documentation link you provided, the encryption is done using the AES cipher in CBC mode with PKCS#5 padding (all of those are important, AES128 is not a full encryption scheme you can use).

The command you gave in your question looks OK. I have to guesses what might caus the problem (assuming the encrypted file, key and IV are correct):

  1. BASE64 encoding: You use the -a switch which indicates BASE64 decoding. Are you sure your ciphertext is BASE64 encoded?
  2. Key/IV format: Did you put the KEY and IV there in the correct format?

As a guide, here is a MWE of such an encryption and decryption with openssl:

$ echo "foo" > input.txt $ openssl enc -aes-128-cbc -e -a -nosalt -K 0102030405060708090a0b0c0d0e0f10 -iv 00112233445566778899aabbccddeeff -in input.txt -out input.txt.enc $ cat input.txt.enc oo9TBVgBrcfUHd5wE3gctw== $ openssl enc -aes-128-cbc -d -a -nosalt -K 0102030405060708090a0b0c0d0e0f10 -iv 00112233445566778899aabbccddeeff -in input.txt.enc foo
Improve this answer
4
  • Mat, this is a great info. We ended up with the openssl option! I was using the base64 cipher. But I found the problem. While encoding it to base64 In Salesforce the last next line character in the encrypted string was getting removed. I compared the OpenSSL encrypted file vs Salesforce encrypted file and found the missing char. And fixed it.
    – Bahu SF
    CommentedAug 29, 2019 at 19:46
  • The next line character seems to a bigger problem than i thought. by adding one next line char at the end worked for single line sample file. But now when my real file (which has real data and multiple lines) is encrypted in Salesforce the encrypted output string is matching with the encryption directly done in OpenSSL except one difference - the OpenSSL's encrypted string is split across 100's of lines(split by new line chars) but the salesforce encrypted string is just returned as one long string (not multiple line). now this is causing incorrect decryption.
    – Bahu SF
    CommentedAug 30, 2019 at 0:33
  • @David Reed. do you think think of anything that i am missing.
    – Bahu SF
    CommentedAug 30, 2019 at 0:42
  • i think i understood the issue. OpenSSL encrypts in chunk of 32 bytes but salesforce does it in one line. and openSSL has a command where we can say the input buffer is in one line i.e -A so this works finally. enc -aes-128-cbc -d -base64 -A -K mykeyinhexa -iv myIVinhexa -in sf_enc.txt -out sf_dec.tx
    – Bahu SF
    CommentedAug 30, 2019 at 17:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.