@winnielinnie
You are a star, thank you so much for the udpated .py script you have posted here Pool encryption dataset - #6 by winnielinnie.
This was able to extract both encryption keys from the .db file.
I will post the script here for completion purposes and for anyone else (hopefully not myself again) that may run into the same problem in the future.
Note to anyone in the future,
Do not panic (actually you should take this opportunity to save the .json keys now, don’t delay), extract the truenas backup file .db and the pwenc_secret in the same location in your truenas, create a extractkeys.py file and edit it using your preferred text editor (such as nano) and paste the following command.
#!/usr/bin/python3
# based on /usr/lib/migrate113/freenasUI/system/migrations/0022_cloud_sync.py
import sys
import base64
from Cryptodome.Cipher import AES
import sqlite3
PWENC_BLOCK_SIZE = 32
PWENC_FILE_SECRET = 'pwenc_secret'
PWENC_PADDING = b'{'
def pwenc_get_secret():
with open(PWENC_FILE_SECRET, 'rb') as f:
secret = f.read()
return secret
def pwenc_decrypt(encrypted=None):
if not encrypted:
return ""
from Cryptodome.Util import Counter
encrypted = base64.b64decode(encrypted)
nonce = encrypted[:8]
encrypted = encrypted[8:]
cipher = AES.new(
pwenc_get_secret(),
AES.MODE_CTR,
counter=Counter.new(64, prefix=nonce),
)
return cipher.decrypt(encrypted).rstrip(PWENC_PADDING).decode('utf8')
if len(sys.argv) == 2:
print(pwenc_decrypt(sys.argv[1]))
exit(0)
dbcon = sqlite3.connect('freenas-v1.db')
dbcur = dbcon.cursor()
for row in dbcur.execute('select * from storage_encrypteddataset'):
ds_id, ds_name, ds_enc_key, kmip_enc_key = row
#print(ds_id, ds_name, ds_enc_key, pwenc_decrypt(ds_enc_key))
print(f'dataset: {ds_name}\n key: {pwenc_decrypt(ds_enc_key)}\n')
wipe your eyebrows sweat and save the .json files in multiple locations from now on. 