Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense XML config file, can we decrypt it manually?

    Scheduled Pinned Locked Moved General pfSense Questions
    32 Posts 9 Posters 8.8k Views 9 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      KevinRice @SeaMonkey
      last edited by

      @seamonkey You haven't seen the rest of the file...

      <!--CalixVersion="0.0.0.0" crc32="03933f14" type="backup" product="17717" ConfigVersion="21.2.0.0.39" model="GS4220E" -->
      jïÍ)ïQµY]™ô茛–YtõúgêôTˆKù\¸´Ë7öJC"€ËJ<¯Çñ¹•úã
      ˜
      .8/4Aê¦qm•	VSœ^6kjïÚ|ã-	|ÁÓ8Ât·§vB–î Uò)uçµa‘ù@Û4ÕßÚ"ˆŠŒ2y,¯Yâòƒ`HÞ¤š(i°',}䫏ö‚HRÚÞÛÈ#q þD0v‡*uhx±[
      àµ
      l®é2…èGöÀ‚GrØ=®ˆÔˆ
      ‹R
      9º`ß„ºdÍi¹nÕe0Â
      ³¨
      ™G vu¼ÔøSí;ŸN‡±*r¹ÍrôkËôK¨âZð`¹Cçj›œÂú
      
      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SeaMonkey @KevinRice
        last edited by

        @kevinrice Heh... oh.

        K 1 Reply Last reply Reply Quote 1
        • K Offline
          KevinRice @SeaMonkey
          last edited by

          @seamonkey Appears to be a waste of time, regardless if this is pfSense or not.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator @KevinRice
            last edited by

            @kevinrice said in pfSense XML config file, can we decrypt it manually?:

            Login screen sure looks familiar.

            Bootstrap is omnipresent at this point! 😉

            Yeah I would be amazed if that's pfSense. It's almost certainly an ARM device to start with.

            That config is not close to anything we have.

            Steve

            K 1 Reply Last reply Reply Quote 1
            • K Offline
              KevinRice @stephenw10
              last edited by

              @stephenw10 said in pfSense XML config file, can we decrypt it manually?:

              That config is not close to anything we have.

              Steve

              I agree. I think it was a cached favicon that led me astray.

              1 Reply Last reply Reply Quote 0
              • D Offline
                Draco @SeaMonkey
                last edited by

                @seamonkey I found your note when I was looking for a way to decrypt newer pfSense backups that had been encrypted. Your OpenSSL command is almost correct, at least based on my testing on Windows with OpenSSL 1.1.1. What you are missing is the -iter parameter.

                As @vlurk noted earlier, the key is in the crypt.inc source code. You need -iter 50000. After I added that parameter, all my post 2.5.0 CE backup files are decrypting on Windows with OpenSLL. If you add "-a" to the command line as well, then you can skip the grep and base64 calls. The command line I use in a CMD file is:

                openssl enc -d -aes-256-cbc -salt -md sha256 -pbkdf2 -salt -iter 500000 -a -in %1 -out %2
                

                Where %1 is the input file and %2 is the output file; fewer calls so should be quicker too. I hope this saves someone else the pain I went through to figure this out. While it's possible that Unix/Linux and Windows OpenSSL behave differently w.r.t. the passphrase, I would be surprised if they are that much different. I am curious though, how what you posted could decrypt the file without the -iter argument... maybe an OpenSSL CNF file difference?

                I've submitted a ticket to Netgate asking if they should update their documentation on manual backup decryption as well.

                1 Reply Last reply Reply Quote 3
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Where did you submit that? As a redmine bug report?

                  D 1 Reply Last reply Reply Quote 0
                  • D Offline
                    Draco @stephenw10
                    last edited by

                    @stephenw10 No it was a TAC ticket. The support staff sent me email and suggested that I submit a feature request on Redmine. You can find all of the details on ticket # 1105865744. Everything I found, including links back to the source, a prior Redmine bug that lead to the changes to the manual, etc.

                    I had hoped your support team would pass along my findings. Perhaps you can do so?

                    Otherwise I'll get to submitting the same info via Redmine when I've dug out from under all the other items on my plate.

                    Cheers...

                    draco

                    R 1 Reply Last reply Reply Quote 0
                    • R Offline
                      rcoleman-netgate Netgate @Draco
                      last edited by

                      @draco We highly recommend that you be the one that makes the redmine as you have the direct experience and knowledge and will be able to answer all the questions from engineers that review them.

                      Ryan
                      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                      Requesting firmware for your Netgate device? https://go.netgate.com
                      Switching: Mikrotik, Netgear, Extreme
                      Wireless: Aruba, Ubiquiti

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        Draco
                        last edited by

                        Ok, I created a [Regression bug in Redmine](Redmine backup/restore document regression created: https://redmine.pfsense.org/issues/13494).

                        1 Reply Last reply Reply Quote 1
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Thanks!

                          I changed it to a pfSense Docs ticket since it's specifically a documentation change.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.