Working towards Transcrypt version 3 with support for PBKDF2 key-derivation

LICENSE

@@ -1,4 +1,5 @@
-Copyright (c) 2014-2019, Aaron Bull Schaefer <[email protected]>
+Copyright (c) 2020-2023, James Murty <[email protected]>
+Copyright (c) 2014-2020, Aaron Bull Schaefer <[email protected]>
 Copyright (c) 2011, Woody Gilk <[email protected]>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

README.md

@@ -151,16 +151,26 @@ repository. The owner of the origin repository can dump the credentials for you
 by running the `--display` command line option:
 
     $ transcrypt --display
-    The current repository was configured using transcrypt v0.2.0
+
+    The current repository was configured using transcrypt version 3.0.0-alpha1
     and has the following configuration:
 
-      CONTEXT:  default
-      CIPHER:   aes-256-cbc
-      PASSWORD: correct horse battery staple
+      GIT_WORK_TREE:  transcrypt
+      GIT_DIR:        transcrypt/.git
+      GIT_ATTRIBUTES: transcrypt/.gitattributes
+
+      CONTEXT:        default
+      CIPHER:         aes-256-cbc
+      DIGEST:         sha512
+      KDF:            pbkdf2
+      ITERATIONS:     256_000
+      PROJECT SALT:   5J0QY8uOTe7/B9eYSJ2kOy91
+      PASSWORD:       correct horse battery staple
 
     Copy and paste the following command to initialize a cloned repository:
 
-      transcrypt -c aes-256-cbc -p 'correct horse battery staple'
+      transcrypt -c aes-256-cbc -md sha512 -k pbkdf2 -n 256_000 \
+        -ps 5J0QY8uOTe7/B9eYSJ2kOy91 -p 'correct horse battery staple'
 
 Once transcrypt has stored the matching credentials, it will force a checkout of
 any exising encrypted files in order to decrypt them.
@@ -200,6 +210,25 @@ directory.
              the symmetric cipher to utilize for encryption;
              defaults to aes-256-cbc
 
+      -md, --digest=DIGEST
+             the message digest used to hash the salted password;
+             defaults to sha512
+             Use md5 for compatibility with transcrypt versions < 3
+
+      -k, --kdf=KEY_DERIVATION_FUNCTION
+             a key-derivation function to use for strongest encryption;
+             defaults to pbkdf2
+             If enabled, all users will need Transcrypt 3+ and modern OpenSSL
+
+      -n, --iter=ITERATIONS
+             when using a key-derivation function, its number of iterations;
+             defaults to 256_000
+
+      -ps, --salt=PROJECT_SALT
+             when using a key-derivation function, an extra value to
+             strengthen per-file salt values;
+             defaults to 18 random base64 characters
+
       -p, --password=PASSWORD
              the password to derive the key from;
              defaults to 30 random base64 characters
@@ -344,6 +373,7 @@ to encrypt a file \_top-secret* in a "super" context:
 transcrypt is provided under the terms of the
 [MIT License](https://en.wikipedia.org/wiki/MIT_License).
 
+Copyright &copy; 2020-2023, [James Murty](mailto:[email protected]).
 Copyright &copy; 2014-2020, [Aaron Bull Schaefer](mailto:[email protected]).
 
 ## Contributing

contrib/packaging/pacman/PKGBUILD

@@ -1,6 +1,6 @@
 # Maintainer: Aaron Bull Schaefer <[email protected]>
 pkgname=transcrypt
-pkgver=2.3.0-pre
+pkgver=3.0.0-alpha1
 pkgrel=1
 pkgdesc='A script to configure transparent encryption of files within a Git repository'
 arch=('any')

sensitive_file

@@ -1,40 +1,40 @@
-U2FsdGVkX1//6vyAEUROfUrBgZuXaA15WddyGnu4qyMwDAzBjDpLwEqdK+lGuahk
-zcurTKIJ36gmdZSd5f2928EQaHGdusIRGzjWfWQ720UUTYzERPuJxGVQSXZIA7a4
-o7t2LdFOloWw5g3SRWn+cPBt8lvLkuVuA4x+B4MuzBR0qq7qsk5Qvywfuk2In4Fh
-gWMWnUFDpdO/dUPefgZ1okXwWmb2bna7hr7j7Q1Qz+X8/ZPV7epZfonTOCvILVDy
-qJlhhH+qrkUwpS8qKMBwyfsNEdKFm60fhPCjWZxyS475Pc3DcG9CQX+AkQqG0frA
-aViFCpUkUClSJtoFCg+PaUHPbiN4g/OG7rUcIfVuFDH3Stz3CuqtzJSNkPKNX0Zm
-4xgViApifWvPIijXl/VIHQ7SdzaYiWo2u1G5dCXQw39VnTikx+HWn85wgy0F9IoR
-c6FiowxnGsl3ErIwyvuFOqeI8/Xge/7bgWmzqVZSLrpFMPjM/JNO7htRslByo0LD
-h5+ngarmfzhI8fspFkmUJWN7YulBRKe4Zh5mohPLhXp/+27KdHC/kBWJtuWUTBx9
-RV8cp/g/uIQ6hr/qAnWLdxHgANExGXuf/1zVJYacfnP5cKEqmhYq4gyjs04n8w3a
-gjpINQ8bUVzl3rEEv47nlT7o6ZYCxVL4WjWqcCB75KYvDtkDG+lIbu5SBQ1GwW8q
-uvcdpV1l9UdXrVuPJvcXLn28xL2KItyfoa/T8rGERrSu875/hwunNmArclvv1UCW
-ZRzOhZYMGTHQY5TDC7H05Lwx1wiwRoKJnd+iaE9pw80WnSyarkFkokoHjoBBIO6W
-In+mUDJWSg+VTcJxsT91OmKQyfqGYSm3NRshcvhDgyX/Nle2ixtk1KbBM1+06Cyg
-zWQ2My4uYJtQAU3RYsC3fIPw9QYfwpyrChVzFVImQwGixInNCm3hilEju9MuwKkT
-9yU7oKnZO5027UrwYb7nn8tUab92R3qpfwkR+ZXspTi5CjBZnU61/yw+7Klv8yBQ
-rXfRXVncM2tdcVWlrq7GaRwN3byeo87EQ6/QqyzwHOpNWomk6MHcIAy6pTY6ZIDs
-hDrBwUkBDrIyQYntHDAR4LICepnrkouWydW6A5jqR5ySpchsSPSHdR41UcouPtmA
-hKk1iYMS9TNu3eG69KiKAZ3djYb2GQl8Z1r/1SGAtKj263nUjazWBUkGuzdNX0ny
-yuqXYgXd+lh4YOuL7Dn8JyW5s0IctFj6D4gUnvG4lV/rZYOusIG5rxZn9+c88Did
-VWrMzIuAzbWQXweHA8EVZVb+ntqVKpYKixrLdmjNTt21oYW6LgFdxio8gyq6YGMT
-vjG6G/5ZM30WOsso4XFp+8i7GzVKNXQrZSEZKbEqrD/+RICVUxzXLRVXm66nfW0r
-xEhbuO9v6khlhM6Px1e1seyPZekvBskrB4n8CYsrTTqYww136r/WHZ8/VO+Xu0iN
-1Bt+73pln+PjxiEkIcoHFaCqkqbzHjgGLXeWkfy+0tK/Yr8sTVOrzqNccDg5os98
-UyZG3psbOjuw8JOj2TgLVBIDJWejQLBdewflRviinAzM3jcfAS/GejhMK4NQrdm2
-SAXhMU+32lnJUfqEzkT3LY1PUxBWFwU0IHTQuqp23v23lFOUt4xKo9+TvbDu7V/W
-8BzmtXMZl2PPTOvuEbpu8AfzzvUFkuOktKrlAGNIijx39fabFr+46rra46BeT1XG
-yP3LQcXB5pkjQnwl10BKOGXE014R5BmiAkcyEZiF4ZLhHFpmCJP7U/xDA4g5H4AX
-7WLNu1Mn/IvM7U2Y4AwTJy1GFLCufxL5MRjmAlMwhwebwRvhi3Pamh/StzjssQ1h
-2jgJ+z86DndYpeqg9A7KAMX2FBAry9YbyTT28LNnZRjSRAOWqwRFkFBHryTFgwA2
-IKbR/mA/BFavB7UoxBEmijPTs/IbAoXGgQUN6g3DKCfaHbeTJPI8GPemmkA6AYgb
-gDE/nVNe8ajQvzktXcM27ivLhjeHVjtCJYjsC3p6GFAMu6/LxKE0hWFRRnMw3RbR
-Bmx8n5DWfRCJVgF+pbOah0tPL7iYa4+lprBBGClLpGP4/1KWmSCkxPa2l6QenY0D
-C7m0hPUpL99PoAQCvCGssfLzdpDHdb0ZK808CwLnypBd52mSROpHk/4RQ3S0v68R
-LpLRdEL0aDBQgHWD374YihPM0dYG7pCghTxuKSZXouQkscQ6xoqxVxyWhTRMcTBz
-9ggEdI0dRV8AY+HSkpOW2Ixca1Opn3UIfznQe7JaPXzpk2j3oRR9A2uXcif+zfp2
-IRIqhSa+oP/1wo9RxLybnoheMPZftRqpabjR9AnOzt9KLt/9mu7/lF8YWhALLu6h
-dLukBe1mEeVsQQ8CNcKqFK80jNCx7sR6QZCWyaxcgqw6YtOQ7ZszPRSHtCLgcGHc
-BY9xgAUe3FaJszt5bed9Cxh/FvY7lQwWkLvVscS/IDtA+sq8Ww3D4/JyqEMaaZcY
-L/aeTVBw2BnDs2K48meuFw==
+U2FsdGVkX18dwk/yEPKxPYwi6KL2RzTnqvjSFCjeIvb6vO8+Ok0YVo9vnSulF8vS
+2dpAfaN9PAcByHWTTC8tCnaH7k46vWsiLesoW+BGYjrw5IRkSblTC1tQgycb0Cyg
+BdWcLZilNM3wtvvvWhf9E1VatLUtf2MiCqjVEkxidM7bBWwWOEM4Xk1ezaE+PYRq
+LDK5NLMMrUD7N4FH8u8tzER8TubygKbK6EEUZYfs0SW8ft0PEGmSj74Q3vTOpeSt
+9Cybza7QIMeIktuDk5Xkcu/nGF8jNxCfiwnLhog3kES2QqCDOYA0jdnPVubQcOio
+e+G5K/7QqDlCvO/XGw5aufRuMh0/Jiqadf8rJYdiVloPBSw3FJt1cQ6IiguHWrMh
+ayALkRD8vGZRmkDjbxS7Sc/exvl37TOmLZqawYwn9h7ZW5ZYM8NAut/mQUFP35Uk
+hwmtBk89VY54zUpE/8ujhtzrbLOMAyGJuRGQThPhdhN6SCTg6pZvoCqI3Imqmm/C
+bHTnruU+lDQLTGZrZBtuHPzTsf6JWMg4RsaOBzcOcy/TkWEV/Oqqar5WX0B3G5fn
+jHtRCybxGH3enwXi53kJpNWtn31IuTiN89MTOFsB0jstAO0OoB39mU7BR/ryAP5+
+BbcVUg0MSrmVWPhTIFTye+ESw34zvhzOWWTwE3s/AZvvMVC4afkZKiKq5uGeAb1j
+lkpPqeB5fKjuF3TYr2j4YPu1QkLpUHmWK0DEJB6QkRAPACWCxCGjPDbRATQiXLiL
+GK5PWEZF48v+BabZypdjKzXyidYL5rcVeF4HkVdslhZ8kILj8uPkhcKAHig5ld3S
+IdWYpATVAPraA8vjF8UNbWghyuFb6NkxS+TRroMX8HmKiT2Cw+IUDYUyc99rGHTp
+1Z0daRDErKVDlZ7OfyOSn/cvvPKij2H6qaqC307gkKlyNfXqlWcFWZ1bfLZdUakR
+vYuPSUrxpa0cY/UE+Wy94qt2HUirwsCteHw8l7MDRiFW4n94vz+pm8vHfqWNmmpv
+7PGgV5Y3y/5Yo+CWCmG20TNZHdD8+fdD6A7tY7ZblEEptYngq+btOZiNMOLsl7hA
+HUf+7Zamhl+6kGKwNK9pEcatRnuwJITVX5pOam8sgesxTNdXycjaFr2CPzNhbV1y
+mXi8iTkbg1oskuteUogx+co89OQuoERtMSe2azN4/ivQK70pm2x03F7tGvHtgjm+
+wrtDU7vAxKLQNqtrzOvSafeiGeE9P/FtDKfpm5KJkrmPljZb6CtE2aZmq92PIzDJ
+DwUBy+B/h9r9wwvBXsHQ2OIaZ8DDPt1V4yYTBYN+px+VOa9cTaBBtevMuD+PwYim
+HqxZjVO16a3KQqXM4nqcAffDSnqy5lH4YFWYWxFGlrZvcjsBnm8sn77IUIwcEHx9
+Er8Dl2Q2tfQBf2z6W1+Obv9iU44FDwv+bJ2sLh5uDlJkHz+hAl4DynZhrpR7h4PM
+MQVVhRs41hkCi/zQwaNNiziT4ZHsW3g4VkLDnzeD8pW7NI5a1NcF1l6RLk4XASpb
+umhQr3kCEU0yoa4txDKKALT+13yPfJdBDwlzxWBVx22e/jO3wLb223Bq63Ud/9Cd
+nUVhI4mXZDZ2rNSALujsQSJ0rUlgd6sVWllbSMMV7+1SF6Eac2Gd7CBhaON43Eal
+mlTKN/IlA7inOiRBk+409G8KBDZuA4i6sL1guO5KLmwvFonZ5yT8/7fwadSFmtpR
+ZH0RUQhz7SAkqmaExNLtCmkqKPQh3IwPtKOkUcyTybh1XatOPgdZEJYljG/2u2DN
+yK1bVGKKCeWZ3pw1HWR0jUycmddDYKvQlXTxF9Jsv1o5m15e+rSw9dnK4ZGWPVtI
+dUcUMrayphrBsF8N9J068pcJZLzSL9jaDvf0G4ZfqcNu2d1oWq10mMsTYeN/2vRe
+rb6FKKizt1/7SivkcZbsn0DAFF7PFUtTIwEMBPLO86jcyUXjCSctLEk/VP/h9nIn
+HrYLxxbsg3vYBiLC0b4aVSCYFyEP/0v5Wp6X+DD/iQvWZ3VwwHQ/GcFIoKtsXmJo
+y2A4/x706PLqIr05DjSaaerTelfqXexF5uOkpRzwIDA7Ox1ivHD1mYnstEian7aF
+QF2KI0pYhG3qOEEdti+TNQDyMPzSFKOtnSuwiKL7nGsI7+8FDIdMlnQZ5z/mDX9Q
+Jg7FgawPAeJ07JXI68/FutkSIXxbVazh7gYyIvLZFXpMUe5g8N2v4msTZin9Y4XT
+5VrhmzSk+4OA8PkK2rnkAI99r05WLnCZ3UGKu4Vsq4sY7Z+gwfepoMy7eJOZPxzN
+QAundOnNVFI4uCTBDCoAHtJVRmHXu8e/XBjUYlLHcnISxM2nuyvi4H+pZ96Gg4PJ
+vAiYuTdsI7GSo+G0Ha0xVIXsH/WJH+YV2uzkIzNecbJUIFkh9C05T7TT1EHGZCyU
+suZO0FLlN/qTFuZFfeqBFRhnCfgKLPlGAJ+GmCQnKxbY8R3YUzGU5FOVPW9vykfS
+GsaN2D2yI3S3YjuOOIpjHA==

tests/_test_helper.bash

@@ -39,10 +39,6 @@ function cleanup_all {
   rm -f "$BATS_TEST_DIRNAME"/sensitive_file
 }
 
-function init_transcrypt {
-  "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --password='abc 123' --yes
-}
-
 function encrypt_named_file {
   filename="$1"
   content=$2
@@ -59,10 +55,25 @@ function encrypt_named_file {
   run git commit -m "Encrypt file \"$filename\""
 }
 
+function init_transcrypt_no_kdf {
+  "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --password='abc 123' --yes
+}
+
+function init_transcrypt {
+  "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --digest sha512 --kdf pbkdf2 --iter 99 --salt 5J0Q --password='abc 123' --yes
+}
+
 function setup {
   pushd "$BATS_TEST_DIRNAME" || exit 1
   init_git_repo
-  if [[ ! "$SETUP_SKIP_INIT_TRANSCRYPT" ]]; then
+
+  if [[ "$SETUP_SKIP_INIT_TRANSCRYPT" ]]; then
+    return
+  fi
+
+  if [[ "$SETUP_INIT_TRANSCRYPT_NO_KDF" ]]; then
+    init_transcrypt_no_kdf
+  else
     init_transcrypt
   fi
 }

tests/test_cleanup.bats

@@ -3,7 +3,16 @@
 load "$BATS_TEST_DIRNAME/_test_helper.bash"
 
 SECRET_CONTENT="My secret content"
-SECRET_CONTENT_ENC="U2FsdGVkX1/6ilR0PmJpAyCF7iG3+k4aBwbgVd48WaQXznsg42nXbQrlWsf/qiCg"
+
+# Example generation:
+# - Using project salt: 5J0Q
+# - Generate file key
+#   openssl dgst -hmac "sensitive_file:5J0Q" -sha256 sensitive_file  | tr -d '\r\n' | tail -c16
+#   => ec32c0fbf2261d18
+# - Encrypt file
+#   cat sensitive_file | ENC_PASS='abc 123' openssl enc -e -a -aes-256-cbc -md sha512 -pass env:ENC_PASS -pbkdf2 -iter 99 -S ec32c0fbf2261d18
+#   => U2FsdGVkX1+NiURgsIjgkwyiBw0TSC8WhhDRly2h4x2exuwjay6y/nOahblrBL62
+SECRET_CONTENT_ENC="U2FsdGVkX1+NiURgsIjgkwyiBw0TSC8WhhDRly2h4x2exuwjay6y/nOahblrBL62"
 
 @test "cleanup: transcrypt -f flush clears cached plaintext" {
   encrypt_named_file sensitive_file "$SECRET_CONTENT"

tests/test_contexts.bats → tests/test_contexts_no_kdf.bats

@@ -9,7 +9,7 @@ SUPER_SECRET_CONTENT_ENC="U2FsdGVkX1+dAkIV/LAKXMmqjDNOGoOVK8Rmhw9tUnbR4dwBDglpkX
 function setup {
   pushd "$BATS_TEST_DIRNAME" || exit 1
   init_git_repo
-  init_transcrypt
+  init_transcrypt_no_kdf
 
   # Init transcrypt with 'super-secret' context
   "$BATS_TEST_DIRNAME"/../transcrypt --context=super-secret --cipher=aes-256-cbc --password=321cba --yes
@@ -86,9 +86,9 @@ function teardown {
   [ "$status" -eq 0 ]
   [ "${lines[0]}" = "The current repository was configured using transcrypt version $VERSION" ]
   [ "${lines[1]}" = "and has the following configuration for context 'super-secret':" ]
-  [ "${lines[5]}" = "  CONTEXT:  super-secret" ]
-  [ "${lines[6]}" = "  CIPHER:   aes-256-cbc" ]
-  [ "${lines[7]}" = "  PASSWORD: 321cba" ]
+  [ "${lines[5]}" = "  CONTEXT:        super-secret" ]
+  [ "${lines[6]}" = "  CIPHER:         aes-256-cbc" ]
+  [ "${lines[7]}" = "  PASSWORD:       321cba" ]
   [ "${lines[8]}" = "The repository has 2 contexts: default super-secret" ]
   [ "${lines[9]}" = "Copy and paste the following command to initialize a cloned repository for context 'super-secret':" ]
   [ "${lines[10]}" = "  transcrypt -C super-secret -c aes-256-cbc -p '321cba'" ]

tests/test_crypt.bats → tests/test_crypt_no_kdf.bats

@@ -2,6 +2,9 @@
 
 load "$BATS_TEST_DIRNAME/_test_helper.bash"
 
+# Custom setup: use no-KDF init transcrypt
+SETUP_INIT_TRANSCRYPT_NO_KDF=1
+
 SECRET_CONTENT="My secret content"
 SECRET_CONTENT_ENC="U2FsdGVkX1/6ilR0PmJpAyCF7iG3+k4aBwbgVd48WaQXznsg42nXbQrlWsf/qiCg"
 

tests/test_init.bats → tests/test_init_no_kdf.bats

@@ -15,20 +15,20 @@ SETUP_SKIP_INIT_TRANSCRYPT=1
 }
 
 @test "init: creates .gitattributes" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   [ -f .gitattributes ]
   run cat .gitattributes
   [ "${lines[0]}" = "#pattern  filter=crypt diff=crypt merge=crypt" ]
 }
 
 @test "init: creates scripts in .git/crypt/" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   [ -d .git/crypt ]
   [ -f .git/crypt/transcrypt ]
 }
 
 @test "init: applies git config" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   VERSION=$(../transcrypt -v | awk '{print $2}')
 
   [ "$(git config --get transcrypt.version)" = "$VERSION" ]
@@ -53,48 +53,48 @@ SETUP_SKIP_INIT_TRANSCRYPT=1
 }
 
 @test "init: show details for --display" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   VERSION=$(../transcrypt -v | awk '{print $2}')
 
   run ../transcrypt --display
   [ "$status" -eq 0 ]
   [[ "${output}" = *"The current repository was configured using transcrypt version $VERSION"* ]]
-  [[ "${output}" = *"  CIPHER:   aes-256-cbc"* ]]
-  [[ "${output}" = *"  PASSWORD: abc 123"* ]]
+  [[ "${output}" = *"  CIPHER:         aes-256-cbc"* ]]
+  [[ "${output}" = *"  PASSWORD:       abc 123"* ]]
   [[ "${output}" = *"  transcrypt -c aes-256-cbc -p 'abc 123'"* ]]
 }
 
 @test "init: show details for -d" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   VERSION=$(../transcrypt -v | awk '{print $2}')
 
   run ../transcrypt -d
   [ "$status" -eq 0 ]
   [[ "${output}" = *"The current repository was configured using transcrypt version $VERSION"* ]]
-  [[ "${output}" = *"  CIPHER:   aes-256-cbc"* ]]
-  [[ "${output}" = *"  PASSWORD: abc 123"* ]]
+  [[ "${output}" = *"  CIPHER:         aes-256-cbc"* ]]
+  [[ "${output}" = *"  PASSWORD:       abc 123"* ]]
   [[ "${output}" = *"  transcrypt -c aes-256-cbc -p 'abc 123'"* ]]
 }
 
 @test "init: respects core.hooksPath setting" {
   git config core.hooksPath ".git/myhooks"
   [ "$(git config --get core.hooksPath)" = '.git/myhooks' ]
 
-  init_transcrypt
+  init_transcrypt_no_kdf
   [ -d .git/myhooks ]
   [ -f .git/myhooks/pre-commit ]
 
   VERSION=$(../transcrypt -v | awk '{print $2}')
   run ../transcrypt --display
   [ "$status" -eq 0 ]
   [[ "${output}" = *"The current repository was configured using transcrypt version $VERSION"* ]]
-  [[ "${output}" = *"  CIPHER:   aes-256-cbc"* ]]
-  [[ "${output}" = *"  PASSWORD: abc 123"* ]]
+  [[ "${output}" = *"  CIPHER:         aes-256-cbc"* ]]
+  [[ "${output}" = *"  PASSWORD:       abc 123"* ]]
   [[ "${output}" = *"  transcrypt -c aes-256-cbc -p 'abc 123'"* ]]
 }
 
 @test "init: transcrypt.openssl-path config setting defaults to 'openssl'" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   [ "$(git config --get transcrypt.openssl-path)" = 'openssl' ]
 }
 
@@ -104,7 +104,7 @@ SETUP_SKIP_INIT_TRANSCRYPT=1
 }
 
 @test "init: --set-openssl-path is applied during upgrade" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   [ "$(git config --get transcrypt.openssl-path)" = 'openssl' ]
 
   # Set openssl path
@@ -116,7 +116,7 @@ SETUP_SKIP_INIT_TRANSCRYPT=1
 }
 
 @test "init: transcrypt.openssl-path config setting is retained with --upgrade" {
-  init_transcrypt
+  init_transcrypt_no_kdf
   [ "$(git config --get transcrypt.openssl-path)" = 'openssl' ]
 
   # Set openssl path
@@ -136,7 +136,7 @@ SETUP_SKIP_INIT_TRANSCRYPT=1
   # Set a custom location for the crypt/ directory
   git config transcrypt.crypt-dir /tmp/crypt
 
-  init_transcrypt
+  init_transcrypt_no_kdf
 
   # Confirm crypt/ directory is populated in custom location
   [ ! -d .git/crypt ]
@@ -152,7 +152,7 @@ SETUP_SKIP_INIT_TRANSCRYPT=1
   # Set a custom location for the crypt/ directory
   git config transcrypt.crypt-dir /tmp/crypt
 
-  init_transcrypt
+  init_transcrypt_no_kdf
 
   SECRET_CONTENT="My secret content"
   SECRET_CONTENT_ENC="U2FsdGVkX1/6ilR0PmJpAyCF7iG3+k4aBwbgVd48WaQXznsg42nXbQrlWsf/qiCg"