Github repository for FreeNAS scripts, including disk burnin and rsync support

[Spearfoot]

Finally got the time to get into this.

Thanks for the fix. I didn't test the new script yet because I started to go thru your script to understand it and I tried manually to make a tarball, encrypt it and then decrypt it.

Encryption went fine but when I tried to decrypt I got this error:

Code:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
34371117056:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/truenas-releng/freenas/_BE/os/crypto/openssl/crypto/evp/evp_enc.c:583:

... and no decryption. I tried to troubleshoot the command on the Github page for decryption but couldn't get it to work.

How did you encrypt the tarball? On FreeBSD 12+, the script should be using this command (line 112 in save_config_enc.sh), which includes the -pbkdf2 and -iter options:

Code:

openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -salt -S "$(openssl rand -hex 8)" -pass file:"$enc_passphrasefile" -in "$fnconfigtarball" -out "$fnconfigtarballenc" 

 

[Jatrabari]

I used the same command, just inserting the values manually

Code:

openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -salt -S "$(openssl rand -hex 8)" -pass file:passfile.txt -in test1.tar.gz -out test1.tar.gz.enc

 

[Spearfoot]

I used the same command, just inserting the values manually

Code:

openssl enc -e -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -salt -S "$(openssl rand -hex 8)" -pass file:passfile.txt -in test1.tar.gz -out test1.tar.gz.enc

Turns out you have to decrypt with the -pbkdf2 and -iter options if they were used to encrypt the file. I've modified the README file on the GitHub repository to reflect this fact.

So your decryption command needs to be something like this:

Code:

openssl enc -d -aes-256-cbc -md sha512 -pbkdf2 -iter 128000 -pass file:passfile.txt -in test1.tar.gz.enc -out test1.decrypted.tar.gz

 

[Spearfoot]

Spearfoot updated Github repository for FreeNAS scripts, including disk burnin and rsync support with a new update entry:

Improved the configuration backup script: save_config.sh

This updated version creates a tarball containing a validated copy of the TrueNAS/FreeNAS configuration database along with the password secret seed encryption file. This makes it better suited to restoring the configuration than simply having a copy of the configuration database.

Read the rest of this update entry...

 

[Phil1295]

Hi,
There is really a security issue with your save_config scripts that users should be aware.
The script will copy the unencrypted password file to the dataset specified by the user. If it is an SMB share or a commonly shared dataset, this would spread copies of the file across the system. With ZFS, keep in mind we cannot even erase it securely later

You should:
- create a tmp folder owned and only readable by root
- directly tar the pwenc file from /data to the tmp folder without copying it, ideally by password protecting it on the fly
- move the encrypted file from the tmp folder to the user backupdir folder

I understand that the GUI does the same. But, we can encrypt the downloaded file and secure erase the unencrypted copy once done.

In any case, thank you for your useful scripts. They really are a great tutorial !

 

[Spearfoot]

Hi,
There is really a security issue with your save_config scripts that users should be aware.
The script will copy the unencrypted password file to the dataset specified by the user. If it is an SMB share or a commonly shared dataset, this would spread copies of the file across the system. With ZFS, keep in mind we cannot even erase it securely later

You should:
- create a tmp folder owned and only readable by root
- directly tar the pwenc file from /data to the tmp folder without copying it, ideally by password protecting it on the fly
- move the encrypted file from the tmp folder to the user backupdir folder

I understand that the GUI does the same. But, we can encrypt the downloaded file and secure erase the unencrypted copy once done.

In any case, thank you for your useful scripts. They really are a great tutorial !

This is true, and I like your suggestion.

To be clear -- the version that emails a copy of the config does encrypt the data before emailing it.

LATER: I've added a security warning to both of the 'save config' scripts on GitHub:

 

[Phil1295]

I must admit that I personally modified and flattened your script for my custom use.
I will fork your repo and commit my changes, but they are only intended for my personal use.

The better and simpler way for the encrypted script I went with is creating a temp folder in root home and chmod it to 700.
Create all the temp files inside that folder, and then copy the encrypted tarball wherever user wants.

At least, this way, with the encrypted version, you ensure that the unencrypted password is never accessible outside root:wheel

Code:

target_dirname="save_config"
tmp_dir="/root/tmp/$target_dirname"

# show_eeror is an internal function to exit/log as needed
mkdir -p "$tmp_dir" || show_error $? "ERROR creating temporary folder: $tmp_dir"

chown root:wheel "$tmp_dir" || show_error $? "ERROR setting owner of temp folder: $tmp_dir"
chmod 700 "$tmp_dir" || show_error $? "ERROR setting permissions of temp folder: $tmp_dir"

# Password file to backup
pwenc_dir="/data"
pwenc_file="pwenc_secret"

# Config database file to backup
config_db_dir="/data"
config_db_name="freenas-v1.db"

# Backup the sqlite database to tmp folder
/usr/local/bin/sqlite3 "$config_db_dir/$config_db_name" ".backup main '$tmp_dir/$config_db_name'"

# $backup_archive_name is the combination of your $P1-$P2-$P3
target_backup_tarball="$tmp_dir/$backup_archive_name".tar

# do not copy the password file, just direct compress it (still unencrypted, but can be piped to ssl directly if needed)
tar -cvf "$target_backup_tarball" \
    -C "$pwenc_dir" "$pwenc_file" \
    -C "$tmp_dir" "$config_db_name"

# Now, you can encrypt the local tmp tarball
# and move it to any SMB share chosen by the user

 

[Phil1295]

A last note, optionally, to use the exact filename as when exporting from TrueNAS GUI, remove the extra hash check from the version array:

Code:

    # Get current OS version (used to set the target backup file name)
    # - output is in the form of: TrueNAS-12.0-U5.1 (6c639bd48a)
    # - include into () to transform the string into an array of space separated strings
    freenas_version=()
    IFS=" " read -r -a freenas_version < <( grep -i truenas /etc/version )
    if [ ${#freenas_version[@]} -eq 0 ]; then
        IFS=" " read -r -a freenas_version < <( grep -i freenas /etc/version )
    fi

    if [ ${#freenas_version[@]} -eq 0 ] || [ -z "${freenas_version[0]}" ]; then
        freenas_version[0]="UNKNOWN"
    fi

    # Form a unique, timestamped filename for the backup configuration database and tarball
    P1=$(hostname -s)
    P2=${freenas_version[0]} # we only keep the part: TrueNAS-12.0-U5.1 and omit the build code (6c639bd48a)
    P3=$(date +%Y%m%d%H%M%S)
    backup_archive_name="$P1"-"$P2"-"$P3"

Edit: fixed assigning array as a string

 

[Phil1295]

Hi,
I rarely take the time to adapt my internal scripts for general use and push to github. However, since I wanted to add this to my cron jobs tasks and never had the time until now, here it is:

GitHub - PhilZ-cwm6/truenas_scripts: TrueNAS Scripts

TrueNAS Scripts. Contribute to PhilZ-cwm6/truenas_scripts development by creating an account on GitHub.

github.com

First, thank you for all your script and mainly the sql part to backup the database reliably

It is based on the template of all my cron jobs. The template has the ability to parse option flags in addition to positional parameters.

The script is thus able to select the encryption (openSSL, rar or no encryption). Default is openSSL
It also never creates any copy of the unencrypted password file, even in a temporary directory. Only if the no encryption option is selected, the tar file will be created in the directory specified by the user

The other advantage is that the script can be run without any editing. It only needs two arguments in that case: the target mountpoint and file/dir in the root of the mountpoint. I made this mandatory to avoid that any backups are created to a non mounted dataset. I use this trick for all my scripts

Editing is optional to control many aspects and can then be run without arguments. Even OpenSSL iterations can be customised

Feel free to get any parts you like

Best regards

 

[Phil1295]

Released the last version:

GitHub - PhilZ-cwm6/truenas_scripts: TrueNAS Scripts

TrueNAS Scripts. Contribute to PhilZ-cwm6/truenas_scripts development by creating an account on GitHub.

github.com

- added PGP encryption support: native in TrueNAS and available as a free GUI unlike RAR
- enabled pruning of old backup in this final release (only logging preview mode was enabled)

Enjoy and best regards