Skip to content

Configuration Redaction

Overview

Operational exports often contain passwords, tokens, private keys, certificates, shared secrets, and account identifiers. Redact them before committing, sharing, or attaching them to support requests.

pfSense Configuration

Script: scripts/redact_pfsense_config.py

python3 scripts/redact_pfsense_config.py config.xml

The script preserves interfaces, VLANs, addressing, gateways, aliases, firewall/NAT rules, DHCP, DNS topology, and service structure while removing secret-bearing fields. The canonical shareable export is config.redacted.xml at the repository root.

Docker Configuration

Script: scripts/redact_docker_configs.py

python3 scripts/redact_docker_configs.py /root/gitea --output-root redacted/docker

The script preserves service names, networks, mounts, ports, Compose structure, and non-secret settings while redacting secret-looking environment and label values.

Operational Procedures

  1. Keep the raw export outside the repository.
  2. Run the appropriate redaction script.
  3. Review the output manually for embedded credentials and personal information.
  4. Search for common secret terms before commit.
  5. Add a redaction rule when a secret-bearing field is missed; do not rely on repeated manual edits.
rg -n -i 'password|passwd|secret|token|private.?key|api.?key|client.?secret' \
  config.redacted.xml redacted/

Troubleshooting

  • Malformed output: validate the source file and script error.
  • Secret survives: extend the redaction rules and regenerate.
  • Operational detail disappears: narrow the rule without restoring secret values.

References

  • scripts/redact_pfsense_config.py
  • scripts/redact_docker_configs.py