This is not the fix I have been meaning to push, but openssl_encrypt()
and openssl_decrypt() are too low level.  They do AES-256-CBC, but not
key derivation as well as salt and IV handling.  Getting this 100%
compatible with OpenSSL was the blocker then.  Also, experts have said
that the cipher should not be used anymore, adding more annoyances as
this config output does not have a version information prefix...