pfSense XML config file, can we decrypt it manually?

bingo600

For helping future users :
Please post the working solution (command line).

/Bingo

SeaMonkey

Encrypted Configuration files
The GUI can automatically determine the correct decryption method when restoring an encrypted configuration backup file, whether it’s from a current version or an older version. When restoring an encrypted configuration file, check Configuration file is encrypted then enter the password in the Password field, and restore as usual from there.

Encrypted configuration files can be manually decrypted using the correct password for offline inspection.

The method used to encrypt configuration files changed in version 2.5.0, so use the method appropriate for the version which generated the encrypted configuration file. In either case, replace <PASSWORD> with the appropriate password string, and change the filenames as needed.

2.5.0 and later:

grep -v "config.xml" config-encrypted.xml | base64 -d | \
  openssl enc -d -aes-256-cbc -out dencryptedfile.xml \
  -pass pass:<PASSWORD> -salt -md sha256 -pbkdf2

Older versions:

grep -v "config.xml" config-encrypted.xml | base64 -d | \
  openssl enc -d -aes-256-cbc -out dencryptedfile.xml \
  -pass pass:<PASSWORD> -salt -md md5

In my case, I changed pass pass:<PASSWORD> to pass file:<PASSFILE>.

KevinRice

So...what is the password??? Same as admin?

SeaMonkey

@kevinrice No, the password is whatever you put in the password box that appears after ticking the 'Encryption' checkbox.

KevinRice

@seamonkey Oh, no. Not good. I'm using a Calix brand router running pfSense that is locked-down. So there's no way to decrypt its config file then.

SeaMonkey

@kevinrice If you have the admin password and you're just trying to get an unencrypted copy of the current configuration, you can just login, go to Diagnostics | Backup & Restore, and download the configuration file.

KevinRice

@seamonkey I don't think that is possible. The Calix router is crippled. While there is a configuration backup page, the encryption is baked-in. I can't see any way of getting an unencrypted config file here.

stephenw10

Well that's..... um... interesting.

Reboot into single user mode, check the code?

Are you sure that's a pfSense rebrand and not just a cached favicon in your browser?

Edit: Yeah, almost certainly that ^

Steve

KevinRice

@stephenw10 Yeah, I suppose that's likely. Login screen sure looks familiar. And the config file begins:

<!--CalixVersion="0.0.0.0" crc32="03933f14" type="backup" product="17717" ConfigVersion="21.2.0.0.39" model="GS4220E" -->

pfSense v.21.2 is very contemporary!

In any case, if I don't have access to the password, it would seem I'm chasing ghosts.

SeaMonkey

@kevinrice Why do you need a password? It appears that your config is unencrypted.

KevinRice

@seamonkey You haven't seen the rest of the file...

<!--CalixVersion="0.0.0.0" crc32="03933f14" type="backup" product="17717" ConfigVersion="21.2.0.0.39" model="GS4220E" -->
jïÍ)ïQµY]™ôèŒ›–YtõúgêôTˆKù\¸´Ë7öJC"€ËJ<¯Çñ¹•úã
˜
.8/4Aê¦qm•	VSœ^6kjïÚ|ã-	|ÁÓ8Ât·§vB–î Uò)uçµa‘ù@Û4ÕÃŸÚ"ˆŠŒ2y,¯Yâòƒ`HÞ¤š(i°',}ä«ö‚HRÚÞÛÈ#q þD0v‡*uhx±[
àµ
l®é2…èGöÀ‚GrØ=®ˆÔˆ
‹R
9º`ß„ºdÍi¹nÕe0Â
³¨
™G vu¼ÔøSí;ŸN‡±*r¹ÍrôkËôK¨âZð`¹Cçj›œÂú

SeaMonkey

@kevinrice Heh... oh.

KevinRice

@seamonkey Appears to be a waste of time, regardless if this is pfSense or not.

stephenw10

@kevinrice said in pfSense XML config file, can we decrypt it manually?:

Login screen sure looks familiar.

Bootstrap is omnipresent at this point!

Yeah I would be amazed if that's pfSense. It's almost certainly an ARM device to start with.

That config is not close to anything we have.

Steve

KevinRice

@stephenw10 said in pfSense XML config file, can we decrypt it manually?:

That config is not close to anything we have.

Steve

I agree. I think it was a cached favicon that led me astray.

Draco

@seamonkey I found your note when I was looking for a way to decrypt newer pfSense backups that had been encrypted. Your OpenSSL command is almost correct, at least based on my testing on Windows with OpenSSL 1.1.1. What you are missing is the -iter parameter.

As @vlurk noted earlier, the key is in the crypt.inc source code. You need -iter 50000. After I added that parameter, all my post 2.5.0 CE backup files are decrypting on Windows with OpenSLL. If you add "-a" to the command line as well, then you can skip the grep and base64 calls. The command line I use in a CMD file is:

openssl enc -d -aes-256-cbc -salt -md sha256 -pbkdf2 -salt -iter 500000 -a -in %1 -out %2

Where %1 is the input file and %2 is the output file; fewer calls so should be quicker too. I hope this saves someone else the pain I went through to figure this out. While it's possible that Unix/Linux and Windows OpenSSL behave differently w.r.t. the passphrase, I would be surprised if they are that much different. I am curious though, how what you posted could decrypt the file without the -iter argument... maybe an OpenSSL CNF file difference?

I've submitted a ticket to Netgate asking if they should update their documentation on manual backup decryption as well.

stephenw10

Where did you submit that? As a redmine bug report?

Draco

@stephenw10 No it was a TAC ticket. The support staff sent me email and suggested that I submit a feature request on Redmine. You can find all of the details on ticket # 1105865744. Everything I found, including links back to the source, a prior Redmine bug that lead to the changes to the manual, etc.

I had hoped your support team would pass along my findings. Perhaps you can do so?

Otherwise I'll get to submitting the same info via Redmine when I've dug out from under all the other items on my plate.

Cheers...

draco

rcoleman-netgate

@draco We highly recommend that you be the one that makes the redmine as you have the direct experience and knowledge and will be able to answer all the questions from engineers that review them.

Draco

Ok, I created a [Regression bug in Redmine](Redmine backup/restore document regression created: https://redmine.pfsense.org/issues/13494).