Bug #12691: Support encrypted ``config.xml`` files when restoring during install - pfSense - pfSense bugtracker

Subject changed from Allow to load encrypted config.xml during install to Support encrypted ``config.xml`` files when restoring during install

Updating subject for release notes.

Actions

Copy link

Updated by Jordan G over 2 years ago

was able to successfully load password protected config.xml from flash drive by rerooting from the console menu with 22.05-DEVELOPMENT-20220423-0600. Password is not masked at prompt and then config.xml is stored on drive sans password after the restore process.

Actions

Copy link

Updated by Viktor Gurov over 2 years ago

Status changed from Feedback to New

Jordan Greene wrote in #note-7:

was able to successfully load password protected config.xml from flash drive by rerooting from the console menu with 22.05-DEVELOPMENT-20220423-0600. Password is not masked at prompt and then config.xml is stored on drive sans password after the restore process.

Hide characters in password prompt:
https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/73

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Status changed from New to Pull Request Review

Actions

Copy link

#10

Updated by Viktor Gurov over 2 years ago

Status changed from Pull Request Review to Feedback

Merged:
https://github.com/pfsense/FreeBSD-src/commit/0e4c152b7e44f36e5fbe59ef6a7611f8d50b9e51

Actions

Copy link

#11

Updated by Jim Pingle over 2 years ago

Status changed from Feedback to In Progress
Assignee changed from Viktor Gurov to Jim Pingle

This introduced a syntax error. Fix incoming.

Actions

Copy link

#12

Updated by Jim Pingle over 2 years ago

Status changed from In Progress to Feedback

Fix merged

Actions

Copy link

#13

Updated by Viktor Gurov over 2 years ago

latest fix:
https://github.com/pfsense/FreeBSD-src/commit/072e35cbaebc20469dd6287fb160bb68a8de4189

Actions

Copy link

#14

Updated by Chris Linstruth over 2 years ago

Status changed from Feedback to Assigned

Unfortunately, this does not look to be working for me.

This is what I get when I try to decrypt using the installer:

Looking for config.xml on da0s3: [found msdos] [config.xml on da0s3] config.xml is encrypted.
Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel:

I tried terminating the password with enter, ^J, ^M and pasting the password. Nothing took.

This is the exact same file after bailing out of that by pressing Enter, then mounting the same installer in the newly-installed beta version:

[22.05-BETA][root@pfSense.home.arpa]/mnt/conf: pfSsh.php playback cryptconfig decrypt /mnt/conf/config.xml /mnt/conf/config-decrypted.xml
Enter the encryption password: 
Decrypting data...Done
[22.05-BETA][root@pfSense.home.arpa]/mnt/conf:

It was perfectly decrypted and readable.

The password is very simple at 7 lower-case characters. Nothing special.

Actions

Copy link

#15

Updated by Jim Pingle over 2 years ago

Two problems here:

It may not be reading the password properly. It would be better to use dialog than a text prompt.
The code in the installer is not accounting for the higher iteration count used on current encrypted backups.

I have a fix almost ready but it may be too disruptive for this release without more time to test.

Actions

Copy link

#16