Suddenly getting openssl bad decrypt error when trying to decrypt a file

Suddenly getting the following error when the openssl decryption of a file happens:

$ openssl aes-256-cbc -K $encrypted_abc123_key -iv $encrypted_abc123_iv -in encrypted_file.txt.enc -out decrypted_file.txt -d
bad decrypt
140292960769688:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:555:

There have been no changes to the key/iv or the encrypted file and no changes to the .travis.yml. This has just started error within the last day or so.

Worker information
hostname: 2ec78f0e-a88c-4419-a042-2ab94b98e698@1.worker-com-77564c74fb-j7trz.gce-production-2
version: 6.2.22
instance: travis-job-da333ed4-5ea6-4fb3-8149-3c808f7f4891 travis-ci-sardonyx-xenial-1643096237-31a09d16 (via amqp)
startup: 6.739273267s
Build system information
Build language: ruby
Build dist: xenial
Build id: 246587813
Job id: 560011709
Runtime kernel version: 4.15.0-1098-gcp
travis-build version: ea990e5f
Build image provisioning date and time
Tue Jan 25 08:00:00 UTC 2022
Operating System Details
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.7 LTS
Release:	16.04
Codename:	xenial

Also, don’t know if it’s related or not, but also having this issue when trying to debug: Debug builds taking a long time to start tmate

I have extracted the values travis is putting into the $encrypted_abc123_key and $encrypted_abc123_iv vars and tried to decrypt locally and am getting the same error. However these values were NOT changed by us, which is leading me to believe that travis is inserting the wrong values into these vars.

Looks like a duplicate of "bad decrypt" when there are multiple encrypted files - #12 by native-api

It actually looks like a different issue, while there are multiple encrypted files used in the build, each one has its own key/iv and each command was copied and used exactly from travis’ encrypt output. Also, as mentioned in the original post, this decryption was working fine for about a year, and suddenly stopped working without any changes from us on either the encrypted file, the key/iv vars, or the travis.yml file.

Okay, then I cannot help you any further without insider info or at least seeing the builds.

@Montana , were there any recent OpenSSL version changes in the environments that the OP uses (see "bad decrypt" when there are multiple encrypted files - #4 by native-api)?

1 Like

Hey @native-api,

We have upgraded from 1.0.2g to 1.1.1.. For the OP, for me to find the root cause of this, is it possible to see your first failing build and the last build that succeeded? Hopefully the build was triggered on the same branch, if not this will take more investigating.

1 Like

@Montana Travis CI - Test and Deploy with Confidence is one of the failing builds, we never had one succeed until we re-encrypted the file.