I still don’t know why you want to. Exporting the dataset encryption keys will result with the same keystrings.
Here is a modified python script, sourced from Robert Milkowski. It basically borrows from the middleware:
decode_key.py
#!/usr/bin/python3
# based on /usr/lib/migrate113/freenasUI/system/migrations/0022_cloud_sync.py
import sys
import base64
from Cryptodome.Cipher import AES
import sqlite3
PWENC_BLOCK_SIZE = 32
PWENC_FILE_SECRET = 'pwenc_secret'
PWENC_PADDING = b'{'
def pwenc_get_secret():
with open(PWENC_FILE_SECRET, 'rb') as f:
secret = f.read()
return secret
def pwenc_decrypt(encrypted=None):
if not encrypted:
return ""
from Cryptodome.Util import Counter
encrypted = base64.b64decode(encrypted)
nonce = encrypted[:8]
encrypted = encrypted[8:]
cipher = AES.new(
pwenc_get_secret(),
AES.MODE_CTR,
counter=Counter.new(64, prefix=nonce),
)
return cipher.decrypt(encrypted).rstrip(PWENC_PADDING).decode('utf8')
if len(sys.argv) == 2:
print(pwenc_decrypt(sys.argv[1]))
exit(0)
dbcon = sqlite3.connect('freenas-v1.db')
dbcur = dbcon.cursor()
for row in dbcur.execute('select * from storage_encrypteddataset'):
ds_id, ds_name, ds_enc_key, kmip_enc_key = row
#print(ds_id, ds_name, ds_enc_key, pwenc_decrypt(ds_enc_key))
print(f'dataset: {ds_name}\n key: {pwenc_decrypt(ds_enc_key)}\n')
All three files must exist in the same directory for this to work:
- decode_key.py
- freenas-v1.db
- pwenc_secret
I made a couple modifications so that it can be run locally with exported config files, without having to run it on a live TrueNAS system. Just put all three files in the same folder.