Spark ⚡ - Decrypting OPNSense Backups

I’ve been running an OPNSense firewall for a while, and I use the option to backup my configuration to Google Drive. However, those backups are encrypted. I wanted to make sure everything’s alright, so I wanted to decrypt one of my backups and check if the structure of the file is fine.

The exported files from OPNSense have a header and a footer, so to decrypt them, we need to trim those parts and then proceed to execute the commands.

This is the structure of the header:

---- BEGIN config.xml ----
Version: OPNsense 24.7.8
Cipher: AES-256-CBC
PBKDF2: 100000
Hash: SHA512

And this is the structure of the footer:

---- END config.xml ----

Here’s the script:

#!/bin/bash

input_file="$1"
output_file="$2"
password="$3"


# Removing header and footer
sed -n '/^$/,$p' "$input_file" | sed '/---- END/,$d' | base64 -d > "${input_file}.tmp"

openssl enc -d -aes-256-cbc -md sha512 -iter 100000 -in "${input_file}.tmp" -out "$output_file" -k "$password"

if [ $? -eq 0 ]; then
   rm "${input_file}.tmp"
   echo "Decryption successful"
else
   echo "Decryption failed"
    exit 1
fi
Buy Me a Coffee at ko-fi.com