Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Backups without certificates

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 942 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GilG
      Gil Rebel Alliance
      last edited by

      Is it possible to create backups without the certificates included.
      Thinking about sharing configs with a work colleague, and keeping security.

      The obvious thing to do seems to be to manually edit the xml file.

      11 cheers for binary

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You'll have to edit them out of the configuration. Be aware there are numerous places that have sensitive data in the config (passwords, etc) that you might also not want to share, so be careful when editing the configuration.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • GilG
          Gil Rebel Alliance
          last edited by

          Thanks Jim.
          I figured dns and email passwords would be included.
          How secure are the 'auto'  backups?

          11 cheers for binary

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            @Gil:

            Thanks Jim.
            I figured dns and email passwords would be included.
            How secure are the 'auto'  backups?

            They should be very secure, because you are treating them as backups ;)
            This implies : saving them on a secure place, if possible off-line - and of course, you wouldn't share these files. Like you wouldn't share any backup files from a - your personnel PC
            The backup files from pfSense are only useful for the same machine (firewall device) where you made it from.

            Ok, it's possible to hand it over to some one else, but interfaces would be different, like passwords, certs, and more.
            It's possible to edit them out, but in that case you couldn't use the file anymore for 'import' on some other pfSense machine.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • GilG
              Gil Rebel Alliance
              last edited by

              I keep my unencrypted  configs in an encrypted folder (safehouse).
              This allows me to edit the xml  as required.
              I was referring to the autoconfig backups (stored with your gold subscription) , which I believe are encrypted with password.

              11 cheers for binary

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                @Gil:

                Thanks Jim.
                I figured dns and email passwords would be included.
                How secure are the 'auto'  backups?

                The AutoConfigBackup entries are encrypted on your firewall before they are uploaded, using the password set in the configuration of the package.

                The server only sees encrypted blobs of data and some metadata so it knows what host it belongs to and such.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • GilG
                  Gil Rebel Alliance
                  last edited by

                  What is the encryption process and the standards used - AES 256 I assume?
                  Obviously crucial to system security, and I would like to include this into the sys admin documentation.

                  Also, why is there a standard maximum of 10 systems?
                  I envisage some users simply splitting systems on differing accounts.

                  11 cheers for binary

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    @Gil:

                    What is the encryption process and the standards used - AES 256 I assume?
                    Obviously crucial to system security, and I would like to include this into the sys admin documentation.

                    https://github.com/pfsense/FreeBSD-ports/blob/1301159156a8e3723307adf84c3941b0703b56e7/sysutils/pfSense-pkg-AutoConfigBackup/files/usr/local/pkg/autoconfigbackup.inc#L221
                    https://github.com/pfsense/pfsense/blob/b8f91b7c6bd16602d49f50c47f4ea28649404c97/src/etc/inc/crypt.inc#L30

                    @Gil:

                    Also, why is there a standard maximum of 10 systems?
                    I envisage some users simply splitting systems on differing accounts.

                    Users can buy access for additional hosts under the same account if they wish, but there are some that register devices under multiple accounts. That's far beyond the scope of this thread, though.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • GilG
                      Gil Rebel Alliance
                      last edited by

                      WOW! the beauty of open source. Thanks jimp

                      11 cheers for binary

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.