OPNsense Forum

English Forums => General Discussion => Topic started by: mfle on April 25, 2017, 09:43:04 PM

Title: [SOLVED] decrypt system configuration backup manually
Post by: mfle on April 25, 2017, 09:43:04 PM
Need to edit config.xml
Have encrypted config.xml and the password.

how to decrypt the file?
Title: Re: decrypt system configuration backup manually
Post by: franco on April 25, 2017, 09:52:46 PM
Hi,

There is no command line client. The format somewhat resembles a "normal" encryption, but it's a custom job from 2008 according to the copyright headers:

https://github.com/opnsense/core/blob/master/src/etc/inc/crypt.inc

The "easiest" way would be to boot a VirtualBox VM and import / export it.

I can write a client for this, but it will take a day or two....


Cheers,
Franco
Title: Re: decrypt system configuration backup manually
Post by: fabian on April 25, 2017, 10:03:23 PM
This seems to be just an OpenSSL command line call.
first, the base64 needs to be decoded, then just call the OpenSSL binary from CLI. Nothing completely complex to do.

It is quite strange why the CLI is called as there is a function for that:
https://secure.php.net/manual/de/function.openssl-encrypt.php
Title: Re: decrypt system configuration backup manually
Post by: mfle on April 25, 2017, 11:32:13 PM
Hi,

it works:

first delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----

base64 -d config.encrypted | openssl enc -aes-256-cbc -d -k PASSWORD > config.xml

Thank you!
Title: Re: decrypt system configuration backup manually
Post by: franco on April 26, 2017, 08:52:01 AM
Might as well do this, alright :)

I tried porting it to PHP internals, but didn't succeed. That must have been in 2015.


Cheers,
Franci
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: drivera on September 01, 2019, 08:34:49 PM
Update to the required command:

$ base64 -d encrypted-config.xml | openssl enc -d -aes-256-cbc -md md5 > decrypted-config.xml

The -md md5 was missing from the previous solutions.

Remember to remove the necessary lines from (a copy of) the encrypted file first.  The openssl command will ask for the password interactively. There are parameters that can be added to include the password in the command, left as an exercise for the reader.

Cheers!
Title: Re: decrypt system configuration backup manually
Post by: mannp on November 26, 2019, 03:05:36 PM
Quote from: mfle on April 25, 2017, 11:32:13 PM

first delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----

Thank you!

Thanks for the info all and I had to delete this too, for anyone else using it :)

QuoteVersion: OPNsense 19.7.7
Cipher: AES-256-CBC
Hash: MD5
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: reboot81 on January 11, 2020, 05:23:40 PM
Remove everything except the base64 encoded jibberish, add a trailing newline and run
openssl enc -aes-256-cbc -base64 -d -p -in encrypted_config.xml -out decrypted_config.xml
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: jimmythedog on June 27, 2022, 07:42:15 AM
I found that that I needed to change the arguments lately to get it working (kept getting "bad decrypt" with the old options)
Looking at the encrypted file, I could some interesting "header" information e.g.:

---- BEGIN config.xml ----
Version: OPNsense 22.1.9
Cipher: AES-256-CBC
PBKDF2: 100000
Hash: SHA512


Based upon that block, I changed to the cli arguments accordingly and it then worked:

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc-md sha-512 -iter 100000 -out decrypted_config.xml
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: beeric on July 08, 2022, 07:08:15 AM
Quote from: jimmythedog on June 27, 2022, 07:42:15 AM
Based upon that block, I changed to the cli arguments accordingly and it then worked:

redacted

Your code is missing the space between cipher and hash (before -md). This will work. Thanks for this btw, it was great!:
grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: julsssark on February 22, 2023, 10:16:21 PM
Anyone get this to work using 23.1? I've tried the prior solutions and I keep getting a bad decrypt.
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: josemarciosa on February 27, 2023, 04:22:27 PM
bad decrypt
139980919153984:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:615:

I'm having the same problem. I've tried all of the above.

OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: josemarciosa on February 27, 2023, 04:30:36 PM
SOLVED

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml

enc: Unrecognized flag sha-512
enc: Use -help for summary.

CHANGE

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha512 -iter 100000 -out decrypted_config.xml

First of all... Don't forget to do:
Delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----

Thanks!
Title: Re: [SOLVED] decrypt system configuration backup manually
Post by: julsssark on February 27, 2023, 06:26:34 PM
Thank you @josemarciosa! I used the updated command you posted and it decrypted my v23.1 config file successfully. Note that you do not need to delete any lines from the source file -- the grep portion of the command removes them for you.