Need to edit config.xml
Have encrypted config.xml and the password.
how to decrypt the file?
Hi,
There is no command line client. The format somewhat resembles a "normal" encryption, but it's a custom job from 2008 according to the copyright headers:
https://github.com/opnsense/core/blob/master/src/etc/inc/crypt.inc
The "easiest" way would be to boot a VirtualBox VM and import / export it.
I can write a client for this, but it will take a day or two....
Cheers,
Franco
This seems to be just an OpenSSL command line call.
first, the base64 needs to be decoded, then just call the OpenSSL binary from CLI. Nothing completely complex to do.
It is quite strange why the CLI is called as there is a function for that:
https://secure.php.net/manual/de/function.openssl-encrypt.php
Hi,
it works:
first delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----
base64 -d config.encrypted | openssl enc -aes-256-cbc -d -k PASSWORD > config.xml
Thank you!
Might as well do this, alright :)
I tried porting it to PHP internals, but didn't succeed. That must have been in 2015.
Cheers,
Franci
Update to the required command:
$ base64 -d encrypted-config.xml | openssl enc -d -aes-256-cbc -md md5 > decrypted-config.xml
The -md md5 was missing from the previous solutions.
Remember to remove the necessary lines from (a copy of) the encrypted file first. The openssl command will ask for the password interactively. There are parameters that can be added to include the password in the command, left as an exercise for the reader.
Cheers!
Quote from: mfle on April 25, 2017, 11:32:13 PM
first delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----
Thank you!
Thanks for the info all and I had to delete this too, for anyone else using it :)
QuoteVersion: OPNsense 19.7.7
Cipher: AES-256-CBC
Hash: MD5
Remove everything except the base64 encoded jibberish, add a trailing newline and run
openssl enc -aes-256-cbc -base64 -d -p -in encrypted_config.xml -out decrypted_config.xml
I found that that I needed to change the arguments lately to get it working (kept getting "bad decrypt" with the old options)
Looking at the encrypted file, I could some interesting "header" information e.g.:
---- BEGIN config.xml ----
Version: OPNsense 22.1.9
Cipher: AES-256-CBC
PBKDF2: 100000
Hash: SHA512
Based upon that block, I changed to the cli arguments accordingly and it then worked:
grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc-md sha-512 -iter 100000 -out decrypted_config.xml
Quote from: jimmythedog on June 27, 2022, 07:42:15 AM
Based upon that block, I changed to the cli arguments accordingly and it then worked:
redacted
Your code is missing the space between cipher and hash (before -md). This will work. Thanks for this btw, it was great!:
grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml
Anyone get this to work using 23.1? I've tried the prior solutions and I keep getting a bad decrypt.
bad decrypt
139980919153984:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:615:
I'm having the same problem. I've tried all of the above.
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
SOLVED
grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml
enc: Unrecognized flag sha-512
enc: Use -help for summary.
CHANGE
grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha512 -iter 100000 -out decrypted_config.xml
First of all... Don't forget to do:
Delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----
Thanks!
Thank you @josemarciosa! I used the updated command you posted and it decrypted my v23.1 config file successfully. Note that you do not need to delete any lines from the source file -- the grep portion of the command removes them for you.