pfSense XML config file, can we decrypt it manually?

  • Hi,

    I started encrypting the configuration export of my pfSense appliance. And I was wondering how should I proceed, if I wanted to manually decrypt the xml export. Obviously, I have the password. I am just really not to sure about how the file gets encrypted; I don't even know the cipher.

    Anyone knows about this? I always review the .xml file before importing but once encrypted... It becomes a bit tedious (and unsafe!) to import blindly, and then export it in clear text again for review. I am sure there is no "secret sauce" about the file encryption either.

    Thank you.

  • Hooray for open source software; everything is in clear somewhere.... Once I found /etc/inc/, I knew what had to be done.

    As it turns out, I am able to decrypt a configuration backup with a one liner;

    openssl enc -d -a -aes-256-cbc -in config.xml -out output.txt

    I can now encrypt my backups knowing they can be read/compared before I restore them. :)

  • Netgate Administrator

    Yes I use this if I need to decrypt it as the file is base64 encoded also.

    You will need to extract that and then decrypt it. That can be done from a Linux box using the following command:

    cat /tmp/config-enc.xml | sed -e '1d' -e '$d' | base64 -d | openssl enc -d -aes-256-cbc -out /tmp/config-dec.xml -k '12345'

    Or it can be done on the firewall itself if a Linux box is not available using the following command :

    cat /tmp/config-enc.xml | sed -e '1d' -e '$d' | b64decode -r | openssl enc -d -aes-256-cbc -out /tmp/config-dec.xml -k '12345'

    Where 12345 is the password.


  • Rebel Alliance Developer Netgate

    Fair warning, if you are running that command on a system with OpenSSL 1.1.1 and the file was encrypted on pfSense 2.4.x, you'll want to add -md md5 to the end of the command line parameters.

Log in to reply