I'm trying to migrate from the AES module to Real AES following the instructions here: https://www.drupal.org/project/aes

When I try to create the "Real AES Key" I get the message "The selected key size does not match the actual size of the key."

I generated the key using openssl rand -base64 128 > encryption.key

Attached is the key I tried (this is just a testing key) and these are the settings I selected:

Key type: Encryption
Key size: 128
Key provider: File
Key location: ../keys/encryption.key (I stepped through in a debugger and the path is correct)
Base64-encoded: yes

When I submit the form, eventually key_type_encryption_validate_key_value() runs. $bytes is 16 (128/8), but it's being compared to strlen($key_value) which is 128. Is that a bug or did I choose the wrong values?

CommentFileSizeAuthor
encryption.key_.txt175 bytesKarlShea
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

KarlShea created an issue. See original summary.

KarlShea’s picture

KarlShea
he/him
Primary language English
Location Minneapolis 🇺🇸
CreditAttribution: KarlShea commented
Project: Key » AES encryption
Version: 7.x-3.x-dev » 7.x-1.x-dev

I see, I had to set a custom key size of 1024. I feel like the migration instructions are not as clear as they could be, I'll move this issue over there.

rlhawk’s picture

rlhawk
Primary language English
Location Seattle, Washington, United States
CreditAttribution: rlhawk commented

Right. If you want a 128-bit key, use:

openssl rand -base64 16 > encryption.key

If you're using the Real AES module and the Defuse PHP Encryption library, the key will need to be a certain size — probably 128 bits, not 1024. AES doesn't support keys that large.

KarlShea’s picture

KarlShea
he/him
Primary language English
Location Minneapolis 🇺🇸
CreditAttribution: KarlShea commented

Cool, thanks, that worked. Who needs to be pinged to update the migration instructions? There are still 7000 sites using AES and I know this will be an issue again, I'm only using it to encrypt UPS shipping credentials.

ñull’s picture

ñull CreditAttribution: ñull as a volunteer commented
Title: Key size error trying to migrate from AES module » Key size error in the migration instruction

The key module size setting is in BITS. The openssl command number is in bytes. The openssl command in the migration instruction does not create the 128 BIT but a 1024 BIT key size. With the given instructions the key size should be 1024. The migration instruction should therefore be:

openssl rand -base64 16 > encryption.key

16 (bytes) x 8 (bits) = 128 bits.

I also tried a large key size. Apparently 2048 is too much because it did not work here.

ñull’s picture

ñull CreditAttribution: ñull as a volunteer commented

Another error in the migration instruction is that the old aes module should be deleted before you try to enable the new one. In my case the old one got re-enabled because Drupal cannot distinguish between two modules with the same machine name. To deinstall you need to do the reverse, delete the new aes submodule of real_aes and re-download the old eas. After de-installation you need to re-download the new aes sub-module of real_aes again.

ñull’s picture

ñull CreditAttribution: ñull as a volunteer commented
Component: Code » Documentation
Category: Support request » Bug report
Cellar Door’s picture

Cellar Door CreditAttribution: Cellar Door commented
Status: Active » Fixed

Thanks for the input all! We've updated the migration instructions.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.