Extract the dataset encryption keys from a truenas settings export file

extract_truenas_dataset_keys.py

#!/usr/bin/env python                                                                                                                                                                         

import base64
import sys
import sqlite3

from Crypto.Cipher import AES
from Crypto.Util import Counter

def main(argv):
    aes_key = read_aes_key()

    keys = load_encrypted_keys()

    for dataset_name, encrypted_key in keys.items():
        decrypted = decrypt(encrypted_key, aes_key)
        print(dataset_name)
        print(decrypted)
        print()

    return 0

def read_aes_key():
    with open('pwenc_secret', 'rb') as f:
        return f.read()

def load_encrypted_keys():
    d = {}
    with sqlite3.connect('freenas-v1.db') as conn:
        for row in conn.execute('SELECT name, encryption_key FROM storage_encrypteddataset'):
            d[row[0]] = row[1]
    return d

def decrypt(encrypted, key):
    if not encrypted:
        return ''

    encrypted = base64.b64decode(encrypted)
    nonce = encrypted[:8]
    encrypted = encrypted[8:]
    cipher = AES.new(key, AES.MODE_CTR, counter=Counter.new(64, prefix=nonce))
    return cipher.decrypt(encrypted).rstrip(b'{').decode('utf8')


if __name__ == '__main__':
    sys.exit(main(sys.argv))