Can I decrypt a pfsene XML config I encrypted?

A power outage caused a corruption in my FS and pfSense failed to boot with error 5. Good thing is, it didn’t happen with my primary FW. I really didn’t have time to mess around with it and since I had a back up. I just decided to wipe and restore from a backup.

My problem now, I can’t restore from the back up. My latest backup was from three months ago. But when I try to restore I get

File decryption failed. Incorrect password or file is invalid.

I know it’s not that I forgot the password. I use a password manager for that. But I need to restore from this backup because I have multiple VLANS and some complex Firewall rules that even I can’t remember.

It has taken me months to get to the point of configuration. Since I wiped and reinstalled can I decrypt my encrypted backup XML so I can at least restore from that?


In testing this out, I know it’s not an invalid password. I did a backup and used the same password as before. And did a minor change to the FW rules. Then I did a restore with the password and everything worked. So, it can’t be an incorrect password unless I’m missing something here. It has to be that the file is invalid. But I’m not understanding why or how. If the purpose of a restore after a fresh reinstall can a change in the reinstall cause it to become a bad file.

I solved my first problem in being able to decrypt offline with this documentation Encrypted Configuration Files: Plus 22.05 and CE 2.7.0 and later. Now, I need to solve the problem of why I can’t use the backup configuration.

Well that was a dead end too

Long shot, but this might be worth reading

That post is from 10 years ago so don’t think it’s relevant.

When you choose to encrypt the backup it asks what the password you want to use is which may or may not have been your log in password, it comes down to what you choose to put in that field.

Yeah, I considered all of those options which didn’t work. However, in using the Netgate offline decrypt method. I spun up a Linode VM and attempted to decrypt it using the method described for Plus 22.05

openssl enc -d -a -aes-256-cbc -in config-encrypted.xml -out dencryptedfile.xml -pass pass: -salt -md sha256 -pbkdf2 -iter 500000.

Using the password I know, which was using special characters. So I had to escape one of them. The only returned message was

No such file or directory

If it was the incorrect password it would have returned a Bad Crypt message. So I’m not sure what’s going on. I tried turning on -v or -debug on, to see what was going on but it just kept outputting

No such file or directory

At that point, I decided to just rebuild all the VLANs and I returned to some of your YT videos for inspiration on perhaps making my firewall rules more simple but still secure. As the type of things I have running on my home network vary from databases, gaming servers, work/personal computers, and IoT devices.