Configuration Redaction
Overview
Operational exports often contain passwords, tokens, private keys, certificates, shared secrets, and account identifiers. Redact them before committing, sharing, or attaching them to support requests.
pfSense Configuration
Script: scripts/redact_pfsense_config.py
python3 scripts/redact_pfsense_config.py config.xml
The script preserves interfaces, VLANs, addressing, gateways, aliases, firewall/NAT rules, DHCP, DNS topology, and service structure while removing secret-bearing fields. The canonical shareable export is config.redacted.xml at the repository root.
Docker Configuration
Script: scripts/redact_docker_configs.py
python3 scripts/redact_docker_configs.py /root/gitea --output-root redacted/docker
The script preserves service names, networks, mounts, ports, Compose structure, and non-secret settings while redacting secret-looking environment and label values.
Operational Procedures
- Keep the raw export outside the repository.
- Run the appropriate redaction script.
- Review the output manually for embedded credentials and personal information.
- Search for common secret terms before commit.
- Add a redaction rule when a secret-bearing field is missed; do not rely on repeated manual edits.
rg -n -i 'password|passwd|secret|token|private.?key|api.?key|client.?secret' \
config.redacted.xml redacted/
Troubleshooting
- Malformed output: validate the source file and script error.
- Secret survives: extend the redaction rules and regenerate.
- Operational detail disappears: narrow the rule without restoring secret values.
Related Systems
References
scripts/redact_pfsense_config.pyscripts/redact_docker_configs.py