Decrypt (or Encrypt) NAS4Free Config

I’ve written about NAS4Free before – it’s a super NAS solution that packs a tonne of great features and offer good performance even on older hardware, ideal for a home file/media server. During a recent ugprade (9.3 to 10.2) I found myself wanting to decrypt the encrypted backup that you (should) normally take prior to any upgrade attempt. There doesn’t seem to be much documentation on this elsewhere, so I’ve recorded a procedure here in case anyone else wants to do this.

I’m doing this under Windows 7 Enterprise 64-bit, but there are straight forward equivalents for most (all?) of this on other platforms.

The key element to all of this is that NAS4Free uses a plain and sane way to create the encrypted configuration file: the configuration is first encrypted with the admin password (and “salt”) using the AES-256-CBC cipher, the result is then base64 encoded, and finally compressed with GZIP.

Decrypt NAS4Free Config

You can download an unencrypted config from NAS4Free, but it’s generally not a good idea to store these as they contain the passwords for your admin and user accounts in plain text. Also, if you are recovering from a broken NAS4Free installation then you may not be able to download a config at all, in which case being able to see the settings from a previous installation may help you figure out what broke it.

  1. You should start out with an encrypted backup file from NAS4Free (System | Backup/Restore), the default filename will be something like C:\Temp\config-nas4free.local-20160213090000.gz.
  2. Begin by decompressing this file. I use 7-zip, so I can just right-click the file and choose Extract here.N4F-Decrypt-Config-GzOff
  3. Now you can decrypt this file using OpenSSL. A Windows binary is available from Shining Light Productions. I installed the 64-bit Windows OpenSSL binaries to the default location (C:\OpenSSL-Win64) so hold shift and right-click that folder and choose Open command window here.N4F-Decrypt-Config-RunOpenSSL
  4. OpenSSL can remove the base64 encoding and decrypt using the command
    openssl enc -aes-256-cbc -d -a -in C:\Temp\config-nas4free.local-20160213090000 -out C:\Temp\config-nas4free.local-20160213090000.xml. Unless you’ve done some previous work with OpenSSL then you’ll get a warning that can safely be ignored, and a prompt for the decryption password. With NAS4Free 9.3 and earlier this will be your admin account password, for later versions it is the encryption password you entered when you downloaded the configuration.
  5. This will drop your NAS4Free config into an XML file ready for you to browse. Note that NAS4Free does not allow you upload an unencrypted configuration.

Encrypt NAS4Free Config

Used in conjunction with the decryption routine above, this would enable you to download an encrypted configuration file (or take a previous one), make modifications to it, and upload / restore the result. This is not for the faint-hearted or inexperienced user as it could seriously break your NAS4Free setup and potentially damage the data you have store in it – you should be confident that you know what you’re doing before heading down this route.

  1. Start with your unencrypted XML configuration, I’ll assume that’s in C:\Temp\config-nas4free.local-20160213090000-new.xml
  2. Use OpenSSL to encrypt and base64 encode this, same as step 4 above, but with a slightly different command: openssl enc -aes-256-cbc -a -in C:\Temp\config-nas4free.local-20160213090000-new.xml -out C:\Temp\config-nas4free.local-20160213090000-new
  3. Right-click the output file and use 7-Zip to create a new archive.N4F-Encrypt-Config-Gzip
  4. Set the archive type to GZIP and click OK.N4F-Encrypt-Config-Gzip2
  5. Your compressed, encrypted config will now be ready to upload.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s