Quick shell script to decrypt client-side encrypted file using QNAP HBS *Sync* jobs. Only work with version 2 files - Doesn't work with QNAP HBS Backup jobs!

qnap-clientenc-decrypt.sh

#!/bin/sh

set -ue

[ "$#" -lt 2 ] && { echo "Syntax: $0 <filename> <key>"; exit 1; } 

filename="$1"
key="$2"

# Compose the key by repeating the user input until we have 32 characters (64 hex digits) 
openssl_key=""
while [ "$(printf '%s' "${openssl_key}" | wc -m)" -lt 64 ]; do
  openssl_key=${openssl_key}$(printf '%s' "${key}" | od -An -tx1 | tr -d '\ \n')
done
openssl_key=$(printf '%s' "${openssl_key}" | cut -c1-64)

# Determine if the cleartext has been compressed
compressed="$(dd if="${filename}" bs=1 skip=9 count=1 2>/dev/null | od -An -tx1 | tr -d '\ \n')"
[ "${compressed}" -ne 0 ] && echo "Compressed, use bzip2 to decompress" >&2

# Decipher the header
header="$(dd if="${filename}" bs=1 skip=16 count=64 2>/dev/null | \
  openssl aes-256-ecb -d -K "${openssl_key}" -nopad | od -An -tx1 | tr -d '\ \n')"

# Extract key and iv from the header
ckey="$(printf '%s' "${header}" | cut -c17-80)"
salt="$(printf '%s' "${header}" | cut -c81-112)"

# Decipher the file
dd if="${filename}" bs=1 skip=80  2>/dev/null | openssl aes-256-cbc -d -K "${ckey}" -iv "${salt}"

I did some testing.
I think that the encryption key used by QNAP HSB Backup is derived from the user password with a different algorithm.
From Sync jobs, the password used to decrypt the header is a 64 bytes long concatenation of the user password.

Maybe the backup job concatenates something to the user password... but honestly is hard to tell!

@dguerry thank you, I was 2 weeks AFK. Will try soon and let you know. Thank you a lot for the investigations.