Duplicity

Duplicity fails with FIPS enabled

Asked by Dustin Todd

When trying to use the application for backups (via Deja Dup) the process fails:

Traceback (innermost last):
  File "/usr/bin/duplicity", line 1581, in <module>
    with_tempdir(main)
  File "/usr/bin/duplicity", line 1567, in with_tempdir
    fn()
  File "/usr/bin/duplicity", line 1406, in main
    action = commandline.ProcessCommandLine(sys.argv[1:])
  File "/usr/lib64/python2.7/site-packages/duplicity/commandline.py", line 1096, in ProcessCommandLine
    args = parse_cmdline_options(cmdline_list)
  File "/usr/lib64/python2.7/site-packages/duplicity/commandline.py", line 730, in parse_cmdline_options
    globals.backup_name = generate_default_backup_name(backend_url)
  File "/usr/lib64/python2.7/site-packages/duplicity/commandline.py", line 125, in generate_default_backup_name
    burlhash = md5()
 ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

From what I have learned, the issue lies with Duplicity using md5 instead of SHA256 (or other FIPS compliant)
Is there an option to enable something other than md5?

Thanks

Question information

Language:
English Edit question
Status:
Answered
For:
Duplicity Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
edso (ed.so) said : 		#1

a quick websearch reveals

https://github.com/s3tools/s3cmd/issues/1005

and

https://stackoverflow.com/questions/54717862/how-do-i-know-if-the-usedforsecurity-flag-is-supported-by-hashlib-md5

obviously something that should be fixed soon.

..ede/duply.net

Revision history for this message
Kenneth Loafman (kenneth-loafman) said : 		#2

There is no option to change hash usage. Duplicity uses md5 and sha1 for things like hash keys for backup names, but for nothing security related.

What OS and version are you running? Which Python version? What openssl version?

Revision history for this message
Kenneth Loafman (kenneth-loafman) said : 		#3

https://www.google.com/search?q=ValueError%3A+error%3A060800A3%3Adigital+envelope+routines%3AEVP_DigestInit_ex%3Adisabled+for+fips&oq=ValueError%3A+error%3A060800A3%3Adigital+envelope+routines%3AEVP_DigestInit_ex%3Adisabled+for+fips&aqs=chrome..69i57j69i58j69i61.1581j0j7&sourceid=chrome&ie=UTF-8

Following that link will show you the mess that the hashlib is in. I'm not sure at this point which direction the software will take. Redhat/Centos added an argument to allow use in non-secure manner, but that's only a small part of the equation since that is not standard across the majority of Linux.

Going to make a bug report out of it and see if we can get some non-invasive answers. Changing from md5/sha1 to something stronger makes no sense since they are not being used for security and would be backwards incompatible.

Revision history for this message
Dustin Todd (dtoddtrc) said : 		#4

Thanks for the response.

We are running RedHat 7.7 workstation with the DCSA profile. We are required to use FIPS configuration for our secure environments and NIST SP800-171 controls. I was hoping to use the builtin backup software (Deja Dup) which uses Duplicity.

The install version of python is 2.7.5 and openssl is OpenSSL 1.0.2k-fips

Can you help with this problem?

Provide an answer of your own, or ask Dustin Todd for more information if necessary.

To post a message you must log in.