os-git-backup: Git Backups shouldn't contain secrets

[eddster2309]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• The title contains the plugin to which this issue belongs

Describe the bug
Currently Git backups contain many secrets including (at least in my install) Git Private key for the same plugin, and cloudflare secret.

I understand this is a large body of work considering how the current backup and config storage works, so maybe a good stop gap is to add a note to the docs so users are at least aware of the risks.

To Reproduce
Steps to reproduce the behavior:

1. Configure Git Backup
   

2. Secrets will be included
   

Expected behavior
Secrets to be removed from config.

Screenshots
N/A

Relevant log files
N/A

Additional context
N/A

Environment
OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

[fichtner]

What are we trying to avoid? People pushing their configs to a public GitHub repository? Partial backups, especially with arbitrarily removed secrets is not useful to anyone, or at least not for backup purposes.

Cheers,
Franco

[Leseratte10]

Maybe this change would also be relevant for the other backup methods / plugins?

Looking at a plain configuration export, it looks like your choice is either to download a plaintext config including all passwords, or download a fully encrypted config file that can't really be used in version control.

I guess the use-case could be a semi-public repository. Like if you want multiple people (other members in your household or company or whatever) to be able to view the revision / change history on your OpnSense machine (by giving them read access to the repo) but you don't necessarily trust them with full access to all credentials and secrets.

Routers by AVM, for example, have solved this issue by offering a partially-encrypted configuration backup. When exporting your config file, you get the option to enter a password, and then only things like passwords will be encrypted in the config file, everything else in the config will be plain text.

Everyone with access to the Git repo could then read the commits to check which changes have been done, and they'll be able to see when a password was changed, but they won't be able to access the password without having the backup encryption password. That way the backup would still be useable (as you can restore it when you know the password) and could still be used by plaintext tools like git diff (unlike the current encrypted backup format), but still ensure that you can't just grab all the secrets from it.

The only downside is that there would need to be a list of "secret" attributes somewhere that needs to be maintained so that the backup code knows which fields need to be encrypted with a password prior to pushing the config to a Git repo.