Netgate SG-1000 microFirewall

Author Topic: Backups without certificates  (Read 194 times)

0 Members and 1 Guest are viewing this topic.

Online Gil

  • Full Member
  • ***
  • Posts: 106
  • Karma: +3/-0
    • View Profile
Backups without certificates
« on: January 02, 2018, 04:55:13 pm »
Is it possible to create backups without the certificates included.
Thinking about sharing configs with a work colleague, and keeping security.

The obvious thing to do seems to be to manually edit the xml file.

 
11 cheers for binary

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21495
  • Karma: +1458/-26
    • View Profile
Re: Backups without certificates
« Reply #1 on: January 03, 2018, 08:37:41 am »
You'll have to edit them out of the configuration. Be aware there are numerous places that have sensitive data in the config (passwords, etc) that you might also not want to share, so be careful when editing the configuration.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Online Gil

  • Full Member
  • ***
  • Posts: 106
  • Karma: +3/-0
    • View Profile
Re: Backups without certificates
« Reply #2 on: January 05, 2018, 05:40:32 am »
Thanks Jim.
I figured dns and email passwords would be included.
How secure are the 'auto'  backups?
11 cheers for binary

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2311
  • Karma: +176/-9
    • View Profile
Re: Backups without certificates
« Reply #3 on: January 05, 2018, 05:49:37 am »
Thanks Jim.
I figured dns and email passwords would be included.
How secure are the 'auto'  backups?
They should be very secure, because you are treating them as backups ;)
This implies : saving them on a secure place, if possible off-line - and of course, you wouldn't share these files. Like you wouldn't share any backup files from a - your personnel PC
The backup files from pfSense are only useful for the same machine (firewall device) where you made it from.

Ok, it's possible to hand it over to some one else, but interfaces would be different, like passwords, certs, and more.
It's possible to edit them out, but in that case you couldn't use the file anymore for 'import' on some other pfSense machine.

Online Gil

  • Full Member
  • ***
  • Posts: 106
  • Karma: +3/-0
    • View Profile
Re: Backups without certificates
« Reply #4 on: January 05, 2018, 03:08:20 pm »
I keep my unencrypted  configs in an encrypted folder (safehouse).
This allows me to edit the xml  as required.
I was referring to the autoconfig backups (stored with your gold subscription) , which I believe are encrypted with password.
11 cheers for binary

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21495
  • Karma: +1458/-26
    • View Profile
Re: Backups without certificates
« Reply #5 on: January 05, 2018, 03:11:31 pm »
Thanks Jim.
I figured dns and email passwords would be included.
How secure are the 'auto'  backups?

The AutoConfigBackup entries are encrypted on your firewall before they are uploaded, using the password set in the configuration of the package.

The server only sees encrypted blobs of data and some metadata so it knows what host it belongs to and such.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Online Gil

  • Full Member
  • ***
  • Posts: 106
  • Karma: +3/-0
    • View Profile
Re: Backups without certificates
« Reply #6 on: January 05, 2018, 06:02:28 pm »
What is the encryption process and the standards used - AES 256 I assume?
Obviously crucial to system security, and I would like to include this into the sys admin documentation.

Also, why is there a standard maximum of 10 systems?
I envisage some users simply splitting systems on differing accounts.

11 cheers for binary

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21495
  • Karma: +1458/-26
    • View Profile
Re: Backups without certificates
« Reply #7 on: January 05, 2018, 06:07:09 pm »
What is the encryption process and the standards used - AES 256 I assume?
Obviously crucial to system security, and I would like to include this into the sys admin documentation.

https://github.com/pfsense/FreeBSD-ports/blob/1301159156a8e3723307adf84c3941b0703b56e7/sysutils/pfSense-pkg-AutoConfigBackup/files/usr/local/pkg/autoconfigbackup.inc#L221
https://github.com/pfsense/pfsense/blob/b8f91b7c6bd16602d49f50c47f4ea28649404c97/src/etc/inc/crypt.inc#L30

Also, why is there a standard maximum of 10 systems?
I envisage some users simply splitting systems on differing accounts.

Users can buy access for additional hosts under the same account if they wish, but there are some that register devices under multiple accounts. That's far beyond the scope of this thread, though.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Online Gil

  • Full Member
  • ***
  • Posts: 106
  • Karma: +3/-0
    • View Profile
Re: Backups without certificates
« Reply #8 on: January 05, 2018, 06:09:09 pm »
WOW! the beauty of open source. Thanks jimp
11 cheers for binary