Decrypt (or Encrypt) NAS4Free Config

I’ve written about NAS4Free before – it’s a super NAS solution that packs a tonne of great features and offer good performance even on older hardware, ideal for a home file/media server. During a recent ugprade (9.3 to 10.2) I found myself wanting to decrypt the encrypted backup that you (should) normally take prior to any upgrade attempt. There doesn’t seem to be much documentation on this elsewhere, so I’ve recorded a procedure here in case anyone else wants to do this.

I’m doing this under Windows 7 Enterprise 64-bit, but there are straight forward equivalents for most (all?) of this on other platforms.

The key element to all of this is that NAS4Free uses a plain and sane way to create the encrypted configuration file: the configuration is first encrypted with the admin password (and “salt”) using the AES-256-CBC cipher, the result is then base64 encoded, and finally compressed with GZIP.

Decrypt NAS4Free Config

You can download an unencrypted config from NAS4Free, but it’s generally not a good idea to store these as they contain the passwords for your admin and user accounts in plain text. Also, if you are recovering from a broken NAS4Free installation then you may not be able to download a config at all, in which case being able to see the settings from a previous installation may help you figure out what broke it.

  1. You should start out with an encrypted backup file from NAS4Free (System | Backup/Restore), the default filename will be something like C:\Temp\config-nas4free.local-20160213090000.gz.
  2. Begin by decompressing this file. I use 7-zip, so I can just right-click the file and choose Extract here.N4F-Decrypt-Config-GzOff
  3. Now you can decrypt this file using OpenSSL. A Windows binary is available from Shining Light Productions. I installed the 64-bit Windows OpenSSL binaries to the default location (C:\OpenSSL-Win64) so hold shift and right-click that folder and choose Open command window here.N4F-Decrypt-Config-RunOpenSSL
  4. OpenSSL can remove the base64 encoding and decrypt using the command
    openssl enc -aes-256-cbc -d -a -in C:\Temp\config-nas4free.local-20160213090000 -out C:\Temp\config-nas4free.local-20160213090000.xml. Unless you’ve done some previous work with OpenSSL then you’ll get a warning that can safely be ignored, and a prompt for the decryption password. With NAS4Free 9.3 and earlier this will be your admin account password, for later versions it is the encryption password you entered when you downloaded the configuration.
  5. This will drop your NAS4Free config into an XML file ready for you to browse. Note that NAS4Free does not allow you upload an unencrypted configuration.

Encrypt NAS4Free Config

Used in conjunction with the decryption routine above, this would enable you to download an encrypted configuration file (or take a previous one), make modifications to it, and upload / restore the result. This is not for the faint-hearted or inexperienced user as it could seriously break your NAS4Free setup and potentially damage the data you have store in it – you should be confident that you know what you’re doing before heading down this route.

  1. Start with your unencrypted XML configuration, I’ll assume that’s in C:\Temp\config-nas4free.local-20160213090000-new.xml
  2. Use OpenSSL to encrypt and base64 encode this, same as step 4 above, but with a slightly different command: openssl enc -aes-256-cbc -a -in C:\Temp\config-nas4free.local-20160213090000-new.xml -out C:\Temp\config-nas4free.local-20160213090000-new
  3. Right-click the output file and use 7-Zip to create a new archive.N4F-Encrypt-Config-Gzip
  4. Set the archive type to GZIP and click OK.N4F-Encrypt-Config-Gzip2
  5. Your compressed, encrypted config will now be ready to upload.

Upgrading NAS4Free Embedded

I chose NAS4Free as my home storage solution. As the name suggests, it’s free, but it’s also packed with file storage goodness such as UPNP/DLNA and DAAP support. This put it a touch ahead of similar packages that stop once they’ve got CIFS support and a dabble of all-but-useless things like FTP.

For my own configuration, a 6-year old desktop PC seems to run everything fast enough, even with ZFS on the storage. It’s only got a Core2 Duo 2.13GHz CPU and 4GB DDR2 standard issue RAM, and the drive is a Seagate 2TB SATA drive. Only one drive inside the system – experience to date indicates that user error and malware are more likely to deal a data-blow than disk failure. As a result I prefer to take backups to an external disk (I can also keep a copy off-site to protect against fire and theft).

I opted to deploy using the embedded NAS4Free version on a bootable USB. After a bit of hassle turning off the Intel MBEx BIOS features which prevented a USB boot, it all worked a treat. For the initial setup I followed the official installation guide – download and burn the LiveCD image, boot off it and install to a USB key (I did this on the NAS itself, but you could just as easily do this from your normal machine as it doesn’t touch any of your other drives). Insert the USB key into my NAS box (with a keyboard and monitor temporarily attached), boot up and go through the first time configuration, job done.

When it came to my first upgrade I hit the issue that the firmware upgrade (System|Firmware) wouldn’t work. I had two options, both wrapped by saving and restoring my NAS4Free configuration: (1) write an updated LiveCD and use this to install a NAS4Free bootable USB with the updated embedded NAS4Free image on it; (2) write the updated embedded image file directly to USB (following some good instructions) and save loads of waiting around.

Obviously I went for option (2) as it was quicker – and it worked really smoothly. There was an error message in System|Firmware about the boot partition being too small, but it was clear that this wouldn’t affect operations. Alas, it does affect upgrades and when the next one came along neither the web GUI firmware nor the LiveCD would upgrade my USB key. So I had to sort it out properly:

  1. Download the latest Live CD image (remember to pick the right architecture) and burn to CD;
  2. Boot the LiveCD, insert a new USB key, select option 3 to install the embedded version (the options changed between versions – check carefully) – you can do this step on any PC as it doesn’t touch the internal drives;
  3. Take an encrypted backup of your NAS4Free configuration (System|Backup/Restore);
  4. Shutdown NAS4Free, remove your old USB boot key, insert the new one, and boot;
  5. When you hear the start-up beeps, you are ready to login to the NAS4Free web GUI. However, it’ll be on the default IP address of so unless you happen to be using this subnet too (and that’s a fairly common situation so you may be lucky) you’ll either need to plugin a keyboard and monitor to configure this, or use something like WinIPConfig to temporarily add another address in that subnet (e.g.;
  6. Once you’ve got access to the Web GUI, login with the default credentials (admin:nas4free) and set the admin password to the one you used before in System|General|Password;
  7. Restore your saved configuration (System|Backup/Restore) – this will automatically reboot and you’ll be up and running (NB: the restore will fail if you haven’t set the admin password correctly).

Easy! This method took about 15 minutes in all, but meant that my USB embedded image was now correctly sized for future in-place upgrades.