datastorm-open
Warning: Error in : OpenSSL error in EVP_DecryptFinal_ex: bad decrypt
Hello all,
I'm struggling with this bad decrypt error. It seems that when I set my database's key it does not go to the global enviroment and I get this error. I'm trying to do so in an ubuntu server using shiny-server.
Any ideas on this issue? Any help would be greatly appreciated!
Here is an example code...
First I set th database:
user = c("shiny", "shinymanager"),
password = c("azerty", "12345"),
admin = c(FALSE, TRUE),
stringsAsFactors = FALSE
)
library(keyring)
key_set("R-shinymanager-key", "obiwankenobi")
library(shinymanager)
create_db(
credentials_data = credentials,
sqlite_path = "credentials.sqlite", # will be created
passphrase = key_get("R-shinymanager-key", "obiwankenobi")
)
Then I run the app
library(shiny)
library(shinymanager)
library(keyring)
ui <- fluidPage(
tags$h2("My secure application"),
verbatimTextOutput("auth_output")
)
# Wrap your UI with secure_app, enabled admin mode or not
ui <- secure_app(ui, enable_admin = TRUE)
server <- function(input, output, session) {
# check_credentials directly on sqlite db
res_auth <- secure_server(
check_credentials = check_credentials(
"credentials.sqlite",
passphrase = key_get("R-shinymanager-key", "obiwankenobi")
# passphrase = "passphrase_wihtout_keyring"
)
)
output$auth_output <- renderPrint({
reactiveValuesToList(res_auth)
})
}
shinyApp(ui, server)
The files are located on /srv/shiny-server/shinymanagerApp
Bellow the log file of a run
Listening on http://127.0.0.1:37940 Warning in default_backend_auto() : Selecting ‘env’ backend. Secrets are stored in environment variables Warning: Error in b_env_get: Cannot find password 72: observeEventHandler 1: runApp
Am suffering from the same errors... (transferring from RStudio to Shiny Server seems to have done this). Did you ever solve this?
Hi,
Do you set the key key_set("R-shinymanager-key", "obiwankenobi") on same machine you deploy the app using shiny-server ?
I suspect the OP got the error because the keyring method of passing in passphrase requires you to enter your keyring password, which generally requires a GUI. When you test this on your desk/laptop, you get a window to input a password. I guess shinymanager saves this (locally?) to provide when you try to run the check_credentials with this
...
res_auth <- secure_server(
check_credentials = check_credentials(
"path/to/database.sqlite",
passphrase = key_get("R-shinymanager-key", "obiwankenobi")
# passphrase = "passphrase_wihtout_keyring"
)
)
...
I suspect that the second example in ?key_set that uses key_set_with_value is what is needed for running on server. I found some information on the keyring gitHub here:
https://github.com/r-lib/keyring/issues/77
If I am wrong on this, I would love to know how to make it work.
I have been getting this same error when I do not use key_set/key_get. So when I specify the passphrase as text in the create_db step, the .sqlite db gets created. When I then pass the passphrase directly as text I get the error in the OP subject. For a reprex, you could comment/uncomment the passphrase lines in the example code.
On the Mac, the error I was getting when setting the passphrase with a character string was due to a version missmatch between my R (3.6.2) and what shinymanger was compiled with (4.0.3). Updating R produced a smaller .sqlite db and fixed the issue. Posting in hopes it helps someone else.
keyring was just an example on how you can store secret, there are other methods such as environment variables, you can read more here : https://cran.r-project.org/web/packages/httr/vignettes/secrets.html
On Linux server, you need to install libsecret otherwise you can only store keys in environment variables of the R session.
And you can set a key without the interactive prompt with:
keyring::key_set_with_value("R-shinymanager-key", username = "obiwankenobi", password = "123")
Thanks @pvictor. I did install libsecret, but then discovered that keyring::key_set_with_value requires there to be an unlocked keyring for that method of setting the key to work. I cannot see how to do that on our shiny server without a GUI.
I had looked at Hadley's httr vignette. One thing of note about the security of this method is "These environment variables will be available in every running R process, and can easily be read by any other program on your computer to access that file directly."
For now I think we will use a secrets file that is .gitignored. Our app needs to access database tables, and we have to have login credentials stored for that as well, and we had been using a secrets filefor this purpose. I cannot see an advantage over this method of adding environment variables to .Renviron (the only way to have secrets stored as environment variables persist across sessions).
On windows I get the OP subject error no mater what I do.
I wanted to follow up on this message. I realized that on Windows only, I get the OP subject error along with another error when I delete the .sqlite db file without restarting R. When I recreate the db and I launch the app again, the two errors occur no matter what I do. I think that the db is still running unless you quit R. I can tell this because if you don't restart R, delete the db file, create a new one, and restart the app, there is another file visible in rstudio files window with name databaseName.journal. This does not happen on Mac.