Question Does AES_Encrypt use cbc mode as default ?

[Danny325]

Using Plesk Version 17.8.11.
Mysql has some nice real time encryption/decryption (aes_encrypt/aes_decrypt) possibilities that others like libsodium dont have at the moment.

On earlier versions mysql was build with ECB mode as onliest option. Since version 5.6.17 its possible to use other modes like CBC wich is a lot more secure.

Did on my plesk version mysql server is already build/configured with secure cbc mode or is it still ecb ?

If not you should definitely do that as default, could you show me in meantime a temporary fix ? ECB is very insecure and makes every encryption useless.

Understand and satisfy your AES encryption needs with 5.6.17

For not real time encryption/decryption every one should take libsodium instead (built in latest php version 7.2.9).

 

[a1seniorcareadvisors]

JayBee has asked for the wisdom of the Perl Monks concerning the following question:

Trying to connect to DB to convert passwords to encrypt with AES in CBC mode (vs ECB) I've learned that I have to SET the SESSION before executing any SQL commands. So these two work when I attempt to do it with phpMyAdmin:

SET @@session.block_encryption_mode = 'aes-128-cbc';
SELECT ID, HEX(AES_ENCRYPT(Password,'$key',RANDOM_BYTES(16))) FROM Use
+r WHERE 1;
## OR
SET SESSION block_encryption_mode = 'aes-128-cbc';
SELECT ID, HEX(AES_ENCRYPT(Password,'$key',RANDOM_BYTES(16))) FROM Use
+r WHERE 1;
[download]
but none will work when I attempt it though my script. Here's the basics:

use strict; use CGI ':standard';
use DBI; use DBD::mysql;
our ($sth,$dbh,%Set,@Out);

&DBCredentials; # assigns %Set;
print header,start_html('test');


DBRun("SET SESSION block_encryption_mode='aes-128-cbc';

SELECT ID, HEX(AES_ENCRYPT(Password,'$Set{AESKey}',RANDOM_BYTES(16)))
FROM User WHERE 1");
while (my @ar=$sth->fetchrow_array){
my $len=length($ar[1]); push @Out,"$ar[0]: L=$len -- $ar[1]<br />\n";
} &DBEnd;

print shift(@Out)."\n" while @Out;


sub DBConnect { my $er;
my $dsn='DBI:mysql:database='.$Set{DBName};
$dbh=DBI->connect($dsn, $Set{DBUser}, $Set{DBPass}) || ($er=1);
if ($er){ myErr('DB Start Error'); }
} ##DBConnect##

sub DBRun { my $er; &DBConnect;
$sth=$dbh->prepare($_[0]) || ($er=1);
$sth->execute || ($er=1) if !$er;
if ($er){ myErr('DB Execute Error', $_[0]); }
} ##DBRun##

sub DBDo { my $er; &DBConnect; $dbh->do($_[0]) || ($er=1);
if ($DBI::err || $er){ myErr('DB Do Error', $_[0], $DBI::errstr);
} $dbh->disconnect();
} ##DBDo##

sub DBEnd {$sth->finish; $dbh->disconnect;
} ##DBEnd#
[download]
Not sure what this is exactly, but I've also tried adding Callbacks to the DBConnect portion, but that didn't work either:

sub DBConnect { my $er;
my $DBCall={
'connect_cached.connected' => sub {
shift->do("SET SESSION block_encryption_mode='aes-128-cbc'")
+;
}
};

my $dsn='DBI:mysql:database='.$Set{DBName};
$dbh=DBI->connect($dsn, $Set{DBUser}, $Set{DBPass}, { Callbacks => $DB
+Call }) || ($er=1);
if ($er){ myErr('DB Start Error'); }
} ##DBConnect##

 

[Danny325]

I set the block encryption mode globally inside the /etc/mysql/my.cnf.
Its the only working method for me, now for an "unexpected" reason i recieve the following error:

2018-09-13 06:29:30 INFO: pum is called with arguments: ['--update', '--json']
2018-09-13 06:29:40 INFO: no packages to update
E:Sub-process /usr/bin/dpkg returned an error code (2)
2018-09-13 06:29:41 ERROR: installArchives() failed
2018-09-13 06:29:41 ERROR: Exited with returncode 1.

Well, according to this page:
Unable to update Plesk: Sub-process /usr/bin/dpkg returned an error code (1)

the problem cause because its a misconfiguration on my mysql server. LOL.
Onliest thing i added was:
block_encryption_mode = 'aes-256-cbc'

Problems over problems.