Community discussions

MikroTik App
 
bdees
just joined
Topic Author
Posts: 14
Joined: Wed Aug 29, 2012 6:53 pm

Reading/Writing Encrypted Scripts

Thu Jan 24, 2013 12:03 am

I am wanting to know if it is possible to encrypt .rsc files and have mikrotik decrypt and run the script? Trying to preserve data integrity on some of the work I have been doing as there are multiple eyes managing the RBs I work with.
 
User avatar
TheWiFiGuy
Member
Member
Posts: 351
Joined: Thu Nov 24, 2011 7:26 pm
Location: UK

Re: Reading/Writing Encrypted Scripts

Tue Jan 29, 2013 10:37 pm

+1 for this

We have many scripts that we've spent many hundreds of hours developing and need to protect .
 
JorgeAmaral
Trainer
Trainer
Posts: 199
Joined: Wed Mar 04, 2009 11:53 pm
Location: /ip route add type=blackhole

Re: Reading/Writing Encrypted Scripts

Wed Jan 30, 2013 2:12 am

+1 for this

We have many scripts that we've spent many hundreds of hours developing and need to protect .
+1
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Reading/Writing Encrypted Scripts

Wed Jan 30, 2013 2:58 am

+1

This would also be extremely useful for us. I would also like a way to store the email password the same way the user passwords are stored so others cannot see them.
 
User avatar
skot
Long time Member
Long time Member
Posts: 584
Joined: Wed Nov 30, 2011 3:05 am

Re: Reading/Writing Encrypted Scripts

Wed Jan 30, 2013 7:51 pm

+1

This is a much needed feature
 
User avatar
wichets
just joined
Posts: 10
Joined: Sat Jun 16, 2012 6:28 am
Contact:

Re: Reading/Writing Encrypted Scripts

Sat Apr 20, 2013 3:10 pm

Encrypted Scripts? yes i need it.
This feature i need and expected to have it on routeros.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2281
Joined: Mon May 14, 2012 9:30 pm

Re: Reading/Writing Encrypted Scripts

Mon Jun 30, 2014 9:16 pm

A user group without access to telnet prevented someone from exporting the whole config.

Blocking the ability to see / edit / export scripts would be welcome.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26815
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Reading/Writing Encrypted Scripts

Tue Jul 01, 2014 9:19 am

Simply use the API to make a program which configures your router. You can encrypt them in your own software, and use API commands to configure the router as you please.

We have no plan to make encrypted scripts.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2281
Joined: Mon May 14, 2012 9:30 pm

Re: Reading/Writing Encrypted Scripts

Tue Jul 01, 2014 6:01 pm

Simply use the API to make a program which configures your router. You can encrypt them in your own software, and use API commands to configure the router as you please.

We have no plan to make encrypted scripts.
Could you explain that a little more?

Like I pointed out... I think the big one...
Some of us spend a lot of time energy and effort becoming Mikrotik proficient. Even getting certified...
To know that
/
export compact file=allsomeoneeleseshardwork

can be a little disheartening.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Reading/Writing Encrypted Scripts

Tue Jul 01, 2014 10:31 pm

Simply use the API to make a program which configures your router. You can encrypt them in your own software, and use API commands to configure the router as you please.

We have no plan to make encrypted scripts.
Could you explain that a little more?
Copy&paste example using my PHP client (simply adjust desired export filename, encryption password, and router credentials at the top):
<?php
use PEAR2\Net\RouterOS;

require_once 'PEAR2_Net_RouterOS-1.0.0b4.phar';

$filename = 'allsomeoneeleseshardwork';
$encryptionPassword = 'encryption password';
$util = new RouterOS\Util($client = new RouterOS\Client('192.168.0.1', 'admin', 'password'));

//Export the configuration
$exportRequest = new RouterOS\Request('/export');
$exportRequest->setArgument('file', $filename);
$client($exportRequest);

//Wait for the file to become readable
sleep(2);

//Get the file's contents
$fileContents = $util->getFileContents($filename . '.rsc');

//Remove the original unencrypted file
$util->changeMenu('/file');
$util->remove($filename . '.rsc');

//Encrypt the previously fetched content using OpenSSL
$encryptedFileContents = openssl_encrypt($fileContents, 'AES256', $encryptionPassword);

//Save the file on the web server, in the PHP file's folder
file_put_contents($filename . '.rsc.encrypted', $encryptedFileContents); 
And to get a decrypted file out of the encrypted one:
<?php

$filename = 'allsomeoneeleseshardwork';
$encryptionPassword = 'encryption password';

file_put_contents($filename . '.rsc', openssl_decrypt(file_get_contents($filename . '.rsc.encrypted'), 'AES256', $encryptionPassword));
If PHP is nor your cup of tea, there are always other API clients, but the main takeaway is to have a separate device that will fetch the file, do the encryption, and perhaps keep the encrypted copy, while removing the unencrypted one (OR store the encrypted file on the router... though that's kind'a pointless when you have no way to import it back in).

Personally, I believe that if you're in any need of encryption, you should use something like TrueCrypt to create and use an entire encrypted storage (be it in "image file" or an actual encrypted HDD partition/drive), and just place your encrypted files in there. It's more convenient, less error prone than encrypting/decrypting individual files (which is what the above code does), and in a sense, it's more secure too.



BTW, in the above approach, there's a small window (just a little over 2 seconds) in which someone with "read,ftp" access to the router may theoretically create a copy of the file, and THAT copy will be unencrypted. It's unlikely in practice, but if you absolutely don't trust anyone with such permissions on the router, you may want to also adjust the API script to forbid logins from all such usernames (by disabling the users in the "/user" menu) until you've removed the file, and re-enable them afterwards.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12438
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Reading/Writing Encrypted Scripts

Wed Jul 02, 2014 12:38 am

...Some of us spend a lot of time energy and effort becoming Mikrotik proficient. Even getting certified...
I catch your point.

-1000 for encrypt the scripts,

for two reason:

1) MikroTik spend lot of time on new features like .sensitive. encrypted backup or ip cloud, and not spend 30 minutes to fix ALREADY EXISTING FUNCTIONS, like user-manager profile limitation (see all my bug reports), kernel panic if MPPE are used after the rewriting of "ppp" on 6.8 (and is why on my 4 pppoe-server RB1100AHx2 I'm forced to still use 6.7 because ever try with new RouterOS go on kernel panic), webfig can not create script that exec some commands because the right are missing.... WinBox from 6.8 on some case are not usable on remote side (and for replicate this make me discover another way to get kernel panic)....

And I write only about the bug I have find and I have signaled to mikrotik on detailed way to reproduce....

2) Encrypting is the dead of sharing information... I see this on various application.........
 
sc0tt
just joined
Posts: 15
Joined: Thu Sep 25, 2014 5:34 am

Re: Reading/Writing Encrypted Scripts

Sat Oct 04, 2014 3:17 pm

+1 with script block , many people steal our works
 
wcsnet
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Mon Apr 29, 2013 12:43 pm
Location: South Africa

Re: Reading/Writing Encrypted Scripts

Thu Feb 05, 2015 2:26 pm

+1
Really needed
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26815
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Reading/Writing Encrypted Scripts

Thu Feb 05, 2015 2:28 pm

To decrypt the script means RouterOS needs decryption key. And if this key is inside router, anyone can get it.
 
pospanko
Member Candidate
Member Candidate
Posts: 283
Joined: Sun Dec 18, 2005 4:23 pm

Re: Reading/Writing Encrypted Scripts

Sat Oct 03, 2015 6:00 pm

To decrypt the script means RouterOS needs decryption key. And if this key is inside router, anyone can get it.
Yes, this may be accurate, but... if I need to enter password when deploying encrypted script and RouterOS encrypt if with some special key (serial-number, licence key or sometnig), script won't be usable on other router. Maybe to thing about this?
 
marrold
Member
Member
Posts: 427
Joined: Wed Sep 04, 2013 10:45 am

Re: Reading/Writing Encrypted Scripts

Sun Oct 04, 2015 5:42 pm

Why not just prevent the user accessing RouterOS at all?
 
pospanko
Member Candidate
Member Candidate
Posts: 283
Joined: Sun Dec 18, 2005 4:23 pm

Re: Reading/Writing Encrypted Scripts

Mon Oct 05, 2015 8:52 am

Because I have clients which are using my system and I don't want to give them all of my "magic". They need access but I don't want to allow them to see all. Main problem with MT is that user management is very poor. You can't grant specific thing to specific user - that's the main problem.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Tue Oct 06, 2015 8:01 pm

Force the users to Web access only and apply a skin for them. It's not so much secure but at least it could help you a bit.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 587
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Reading/Writing Encrypted Scripts

Mon Sep 05, 2016 7:14 am

I really need to encrypt rsc file. I think ROS already has decryption method which has today on load router encrypted backup. Or at least make webfig as security feature that customer can`t see hidden configuration pages even try to access to link manually.
 
User avatar
ploquets
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Reading/Writing Encrypted Scripts

Wed Apr 26, 2017 10:41 pm

If we set a password to a user, this is not exportable from the router.
Is there anyway to put on a script a hashed password, other than plaintext?

We are used to configure a user account with a password, like a backdoor, but... with this as plaintext, is not really good.
thanks
 
int21
just joined
Posts: 23
Joined: Thu Apr 16, 2009 1:31 am
Location: Brazil
Contact:

Re: Reading/Writing Encrypted Scripts

Thu Oct 07, 2021 11:05 pm

To decrypt the script means RouterOS needs decryption key. And if this key is inside router, anyone can get it.
The key can be provided by API, so we can't send a script to execute, only the key.
The script will stay at the same place but encrypted.

Who is online

Users browsing this forum: karlacio, ShhPub and 20 guests