Backups without certificates
-
Is it possible to create backups without the certificates included.
Thinking about sharing configs with a work colleague, and keeping security.The obvious thing to do seems to be to manually edit the xml file.
-
You'll have to edit them out of the configuration. Be aware there are numerous places that have sensitive data in the config (passwords, etc) that you might also not want to share, so be careful when editing the configuration.
-
Thanks Jim.
I figured dns and email passwords would be included.
How secure are the 'auto' backups? -
@Gil:
Thanks Jim.
I figured dns and email passwords would be included.
How secure are the 'auto' backups?They should be very secure, because you are treating them as backups ;)
This implies : saving them on a secure place, if possible off-line - and of course, you wouldn't share these files. Like you wouldn't share any backup files from a - your personnel PC
The backup files from pfSense are only useful for the same machine (firewall device) where you made it from.Ok, it's possible to hand it over to some one else, but interfaces would be different, like passwords, certs, and more.
It's possible to edit them out, but in that case you couldn't use the file anymore for 'import' on some other pfSense machine. -
I keep my unencrypted configs in an encrypted folder (safehouse).
This allows me to edit the xml as required.
I was referring to the autoconfig backups (stored with your gold subscription) , which I believe are encrypted with password. -
@Gil:
Thanks Jim.
I figured dns and email passwords would be included.
How secure are the 'auto' backups?The AutoConfigBackup entries are encrypted on your firewall before they are uploaded, using the password set in the configuration of the package.
The server only sees encrypted blobs of data and some metadata so it knows what host it belongs to and such.
-
What is the encryption process and the standards used - AES 256 I assume?
Obviously crucial to system security, and I would like to include this into the sys admin documentation.Also, why is there a standard maximum of 10 systems?
I envisage some users simply splitting systems on differing accounts. -
@Gil:
What is the encryption process and the standards used - AES 256 I assume?
Obviously crucial to system security, and I would like to include this into the sys admin documentation.https://github.com/pfsense/FreeBSD-ports/blob/1301159156a8e3723307adf84c3941b0703b56e7/sysutils/pfSense-pkg-AutoConfigBackup/files/usr/local/pkg/autoconfigbackup.inc#L221
https://github.com/pfsense/pfsense/blob/b8f91b7c6bd16602d49f50c47f4ea28649404c97/src/etc/inc/crypt.inc#L30@Gil:
Also, why is there a standard maximum of 10 systems?
I envisage some users simply splitting systems on differing accounts.Users can buy access for additional hosts under the same account if they wish, but there are some that register devices under multiple accounts. That's far beyond the scope of this thread, though.
-
WOW! the beauty of open source. Thanks jimp