pfSense XML config file, can we decrypt it manually?
I started encrypting the configuration export of my pfSense appliance. And I was wondering how should I proceed, if I wanted to manually decrypt the xml export. Obviously, I have the password. I am just really not to sure about how the file gets encrypted; I don't even know the cipher.
Anyone knows about this? I always review the .xml file before importing but once encrypted... It becomes a bit tedious (and unsafe!) to import blindly, and then export it in clear text again for review. I am sure there is no "secret sauce" about the file encryption either.
Hooray for open source software; everything is in clear somewhere.... Once I found /etc/inc/crypt.inc, I knew what had to be done.
As it turns out, I am able to decrypt a configuration backup with a one liner;
openssl enc -d -a -aes-256-cbc -in config.xml -out output.txt
I can now encrypt my backups knowing they can be read/compared before I restore them. :)
Yes I use this if I need to decrypt it as the file is base64 encoded also.
You will need to extract that and then decrypt it. That can be done from a Linux box using the following command:
cat /tmp/config-enc.xml | sed -e '1d' -e '$d' | base64 -d | openssl enc -d -aes-256-cbc -out /tmp/config-dec.xml -k '12345'
Or it can be done on the firewall itself if a Linux box is not available using the following command :
cat /tmp/config-enc.xml | sed -e '1d' -e '$d' | b64decode -r | openssl enc -d -aes-256-cbc -out /tmp/config-dec.xml -k '12345'
Where 12345 is the password.
Fair warning, if you are running that command on a system with OpenSSL 1.1.1 and the file was encrypted on pfSense 2.4.x, you'll want to add
-md md5to the end of the command line parameters.
Thanks for the tips, everyone!
I put together everyone's suggestions into this script:
Nice. I would probably output to a file though for all but the simplest configs. If you have a multi-megabyte config it can become...... challenging!
I am really regretting the long, randomly generated password full of special characters used to encrypt my configs right now. Can't seem to correctly escape the contained single quote (assuming that that's the only character that needs to be escaped when the rest is contained within single quotes). I keep getting 'bad decrypt'.
bingo600 last edited by bingo600
from : man enc (linux)
-k password The password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass argument. -kfile filename Read the password to derive the key from the first line of filename. This is for compatibility with previous versions of OpenSSL. Superseded by the -pass argument. -pass arg The password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
You could try to paste the "ugly passwd" into a file (pass.txt) , on the first line.
Then instead of -k 'pass' , use -kfile pass.txt
Seems like -kfile <filename> is superseded by -pass file:<filename>
But both should still work.
Remember your pass is now saved in a file , cleanup appropriately
@bingo600 Tried that and I still get the same result.
*** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. bad decrypt 140140608259392:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
Thanks for the suggestion, though.
bingo600 last edited by bingo600
I should have checked the docs before the forum. File I was trying first was from 2.5.0 which uses different encryption.
bingo600 last edited by
For helping future users :
Please post the working solution (command line).
Encrypted Configuration files
The GUI can automatically determine the correct decryption method when restoring an encrypted configuration backup file, whether it’s from a current version or an older version. When restoring an encrypted configuration file, check Configuration file is encrypted then enter the password in the Password field, and restore as usual from there.
Encrypted configuration files can be manually decrypted using the correct password for offline inspection.
The method used to encrypt configuration files changed in version 2.5.0, so use the method appropriate for the version which generated the encrypted configuration file. In either case, replace <PASSWORD> with the appropriate password string, and change the filenames as needed.
2.5.0 and later:
grep -v "config.xml" config-encrypted.xml | base64 -d | \ openssl enc -d -aes-256-cbc -out dencryptedfile.xml \ -pass pass:<PASSWORD> -salt -md sha256 -pbkdf2
grep -v "config.xml" config-encrypted.xml | base64 -d | \ openssl enc -d -aes-256-cbc -out dencryptedfile.xml \ -pass pass:<PASSWORD> -salt -md md5
In my case, I changed