[SOLVED] decrypt system configuration backup manually

[mfle]

Need to edit config.xml
Have encrypted config.xml and the password.

how to decrypt the file?

[franco]

Hi,

There is no command line client. The format somewhat resembles a "normal" encryption, but it's a custom job from 2008 according to the copyright headers:

https://github.com/opnsense/core/blob/master/src/etc/inc/crypt.inc

The "easiest" way would be to boot a VirtualBox VM and import / export it.

I can write a client for this, but it will take a day or two....


Cheers,
Franco

[fabian]

This seems to be just an OpenSSL command line call.
first, the base64 needs to be decoded, then just call the OpenSSL binary from CLI. Nothing completely complex to do.

It is quite strange why the CLI is called as there is a function for that:
https://secure.php.net/manual/de/function.openssl-encrypt.php

[mfle]

Hi,

it works:

first delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----

base64 -d config.encrypted | openssl enc -aes-256-cbc -d -k PASSWORD > config.xml

Thank you!

[franco]

Might as well do this, alright

I tried porting it to PHP internals, but didn't succeed. That must have been in 2015.


Cheers,
Franci

[drivera]

Update to the required command:

Code: [Select]

$ base64 -d encrypted-config.xml | openssl enc -d -aes-256-cbc -md md5 > decrypted-config.xml
The -md md5 was missing from the previous solutions.

Remember to remove the necessary lines from (a copy of) the encrypted file first.  The openssl command will ask for the password interactively. There are parameters that can be added to include the password in the command, left as an exercise for the reader.

Cheers!

[mannp]

first delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----

Thank you!

Thanks for the info all and I had to delete this too, for anyone else using it

Version: OPNsense 19.7.7
Cipher: AES-256-CBC
Hash: MD5

[reboot81]

Remove everything except the base64 encoded jibberish, add a trailing newline and run

Code: [Select]

openssl enc -aes-256-cbc -base64 -d -p -in encrypted_config.xml -out decrypted_config.xml

[jimmythedog]

I found that that I needed to change the arguments lately to get it working (kept getting "bad decrypt" with the old options)
Looking at the encrypted file, I could some interesting "header" information e.g.:

Code: [Select]

---- BEGIN config.xml ----
Version: OPNsense 22.1.9
Cipher: AES-256-CBC
PBKDF2: 100000
Hash: SHA512

Based upon that block, I changed to the cli arguments accordingly and it then worked:

Code: [Select]

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc-md sha-512 -iter 100000 -out decrypted_config.xml

[beeric]

Based upon that block, I changed to the cli arguments accordingly and it then worked:

Code: [Select]

redacted

Your code is missing the space between cipher and hash (before -md). This will work. Thanks for this btw, it was great!:

Code: [Select]

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml

[julsssark]

Anyone get this to work using 23.1? I've tried the prior solutions and I keep getting a bad decrypt.

[josemarciosa]

bad decrypt
139980919153984:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:615:

I'm having the same problem. I've tried all of the above.

OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

[josemarciosa]

SOLVED

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml

enc: Unrecognized flag sha-512
enc: Use -help for summary.

CHANGE

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha512 -iter 100000 -out decrypted_config.xml

First of all... Don't forget to do:
Delete first and last line from config.encrypted
---- BEGIN config.xml ----
---- END config.xml ----

Thanks!

[julsssark]

Thank you @josemarciosa! I used the updated command you posted and it decrypted my v23.1 config file successfully. Note that you do not need to delete any lines from the source file -- the grep portion of the command removes them for you.