Decrypt and unpack Sophos Firewall backup

English translations

This post was translated with the help of a translation tool. Therefore, occasional errors are possible. An error-free version is available in German

This page is also available in: Deutsch (German)

In this post we will show you how to decrypt and unpack the backup of the Sophos Firewall Backup and thus make the contents readable.

Introduction

Normally it should not be necessary to decrypt the encrypted backup of the Sophos Firewall. However, there are cases where you would like to access the contents of the backup. In this article, I’ll show you why we did this and how it works.

Why do you do that?

I recently had a case where I had to access the full backup. The firewall was defective and of course there was no “configuration backup” of the firewall. These backups are only made as required.
Due to time pressure, we had to put a smaller firewall into operation temporarily. It is well known that importing a backup of a firewall from more interfaces than the target hardware has is not possible. So we rebuilt a large part of it. What fun 🙄
Because things were already going well, things had to get worse:

  • Some IP addresses and the NAT configuration were not known
  • The certificates with private key could not be found

The only way out here was the backup.

Get to the backup

Prerequisites

What is needed? I always like to use the Windows WSL for the shell. Here you have almost all Linux options directly under Windows. If you don’t know it, you should definitely give it a try.

  • A backup (what a surprise 😁)
  • The password with which the backup is encrypted
  • a shell in Windows or Linux with “openssl”.
    • Windows Binary: here
    • Windows Subsystem for Linux (WSL): any distribution
    • Linux: any distribution
  • A tool for unpacking “tar.gz” files
    • Windows Tools examples: 7zip. NanaZip
    • Linux: Command line with “tar”

Decrypt and unpack

oppenssl command (Linux / Windows)
openssl enc -aes-256-cbc -md md5 -d -in encrypted_backup_file -out decryptec_backup.tar.gz

After entering it, you will be asked for the password for decryption. The decrypted backup is then saved under the specified file name (-out xxx.tar.gz). This is a “tar.gz” file. You unpack these with the tool of your choice.

In the unzipped folder you will find the certificates including the private key and the configuration. However, the configuration is difficult to read here as it is only contained in the database export as an SQL file. However, with a little knowledge of SQL, you can find your way around to extract the most important information.

Have fun trying it out. If you have any questions, please write in the comments.

Leave a Reply

Your email address will not be published. Required fields are marked *


WordPress Cookie Plugin by Real Cookie Banner