Bug #12691
closed
Support encrypted ``config.xml`` files when restoring during install
100%
Description
Add a password prompt to bsdinstall if config.xml is encrypted, and skip it on <ENTER>
see ECL encrypted config.xml: #12685
Updated by Viktor Gurov over 2 years ago
Updated by Viktor Gurov over 2 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle over 2 years ago
- Assignee set to Viktor Gurov
- Target version set to CE-Next
- Plus Target Version set to 22.05
Updated by Viktor Gurov about 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Jim Pingle about 2 years ago
- Target version changed from CE-Next to 2.7.0
Updated by Jim Pingle about 2 years ago
- Subject changed from Allow to load encrypted config.xml during install to Support encrypted ``config.xml`` files when restoring during install
Updating subject for release notes.
Updated by Jordan G about 2 years ago
was able to successfully load password protected config.xml from flash drive by rerooting from the console menu with 22.05-DEVELOPMENT-20220423-0600. Password is not masked at prompt and then config.xml is stored on drive sans password after the restore process.
Updated by Viktor Gurov about 2 years ago
- Status changed from Feedback to New
Jordan Greene wrote in #note-7:
was able to successfully load password protected config.xml from flash drive by rerooting from the console menu with 22.05-DEVELOPMENT-20220423-0600. Password is not masked at prompt and then config.xml is stored on drive sans password after the restore process.
Hide characters in password prompt:
https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/73
Updated by Jim Pingle about 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov about 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to In Progress
- Assignee changed from Viktor Gurov to Jim Pingle
This introduced a syntax error. Fix incoming.
Updated by Viktor Gurov almost 2 years ago
Updated by Chris Linstruth almost 2 years ago
- Status changed from Feedback to Assigned
Unfortunately, this does not look to be working for me.
This is what I get when I try to decrypt using the installer:
Looking for config.xml on da0s3: [found msdos] [config.xml on da0s3] config.xml is encrypted. Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel: Enter the password to decrypt config.xml, or press <ENTER> to cancel:
I tried terminating the password with enter, ^J, ^M and pasting the password. Nothing took.
This is the exact same file after bailing out of that by pressing Enter, then mounting the same installer in the newly-installed beta version:
[22.05-BETA][root@pfSense.home.arpa]/mnt/conf: pfSsh.php playback cryptconfig decrypt /mnt/conf/config.xml /mnt/conf/config-decrypted.xml Enter the encryption password: Decrypting data...Done [22.05-BETA][root@pfSense.home.arpa]/mnt/conf:
It was perfectly decrypted and readable.
The password is very simple at 7 lower-case characters. Nothing special.
Updated by Jim Pingle almost 2 years ago
Two problems here:
- It may not be reading the password properly. It would be better to use
dialogthan a text prompt. - The code in the installer is not accounting for the higher iteration count used on current encrypted backups.
I have a fix almost ready but it may be too disruptive for this release without more time to test.
Updated by Jim Pingle almost 2 years ago
- Status changed from Assigned to Pull Request Review
MR: https://gitlab.netgate.com/pfSense/FreeBSD-src/-/merge_requests/88
That MR has the proposed changes inside.
Updated by Jim Pingle almost 2 years ago
- Status changed from Pull Request Review to Feedback
MR merged.
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to Resolved
Latest commit works well. I get the prompt for the password, I can enter the password and it successfully decrypts and restores the configuration.