Project

General

Profile

Actions

Bug #12691

closed

Support encrypted ``config.xml`` files when restoring during install

Added by Viktor Gurov almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Installer
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Add a password prompt to bsdinstall if config.xml is encrypted, and skip it on <ENTER>

see ECL encrypted config.xml: #12685

Actions #2

Updated by Viktor Gurov almost 3 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Jim Pingle almost 3 years ago

  • Assignee set to Viktor Gurov
  • Target version set to CE-Next
  • Plus Target Version set to 22.05
Actions #4

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Pull Request Review to Feedback
Actions #5

Updated by Jim Pingle almost 3 years ago

  • Target version changed from CE-Next to 2.7.0
Actions #6

Updated by Jim Pingle over 2 years ago

  • Subject changed from Allow to load encrypted config.xml during install to Support encrypted ``config.xml`` files when restoring during install

Updating subject for release notes.

Actions #7

Updated by Jordan G over 2 years ago

was able to successfully load password protected config.xml from flash drive by rerooting from the console menu with 22.05-DEVELOPMENT-20220423-0600. Password is not masked at prompt and then config.xml is stored on drive sans password after the restore process.

Actions #8

Updated by Viktor Gurov over 2 years ago

  • Status changed from Feedback to New

Jordan Greene wrote in #note-7:

was able to successfully load password protected config.xml from flash drive by rerooting from the console menu with 22.05-DEVELOPMENT-20220423-0600. Password is not masked at prompt and then config.xml is stored on drive sans password after the restore process.

Hide characters in password prompt:
https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/73

Actions #9

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Pull Request Review
Actions #10

Updated by Viktor Gurov over 2 years ago

  • Status changed from Pull Request Review to Feedback
Actions #11

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to In Progress
  • Assignee changed from Viktor Gurov to Jim Pingle

This introduced a syntax error. Fix incoming.

Actions #12

Updated by Jim Pingle over 2 years ago

  • Status changed from In Progress to Feedback

Fix merged

Actions #14

Updated by Chris Linstruth over 2 years ago

  • Status changed from Feedback to Assigned

Unfortunately, this does not look to be working for me.

This is what I get when I try to decrypt using the installer:

Looking for config.xml on da0s3: [found msdos] [config.xml on da0s3] config.xml is encrypted.
Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: 

I tried terminating the password with enter, ^J, ^M and pasting the password. Nothing took.

This is the exact same file after bailing out of that by pressing Enter, then mounting the same installer in the newly-installed beta version:

[22.05-BETA][root@pfSense.home.arpa]/mnt/conf: pfSsh.php playback cryptconfig decrypt /mnt/conf/config.xml /mnt/conf/config-decrypted.xml
Enter the encryption password: 
Decrypting data...Done
[22.05-BETA][root@pfSense.home.arpa]/mnt/conf:

It was perfectly decrypted and readable.

The password is very simple at 7 lower-case characters. Nothing special.

Actions #15

Updated by Jim Pingle over 2 years ago

Two problems here:

  • It may not be reading the password properly. It would be better to use dialog than a text prompt.
  • The code in the installer is not accounting for the higher iteration count used on current encrypted backups.

I have a fix almost ready but it may be too disruptive for this release without more time to test.

Actions #16

Updated by Jim Pingle over 2 years ago

  • Status changed from Assigned to Pull Request Review

MR: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/88

That MR has the proposed changes inside.

Actions #17

Updated by Jim Pingle over 2 years ago

  • Status changed from Pull Request Review to Feedback

MR merged.

Actions #18

Updated by Jim Pingle over 2 years ago

  • % Done changed from 0 to 100
Actions #19

Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to Resolved

Latest commit works well. I get the prompt for the password, I can enter the password and it successfully decrypts and restores the configuration.

Actions

Also available in: Atom PDF