update to only reload services that are enabled and running

Reviewed-on: #2

Updated to new api

.gitignore

@@ -124,4 +124,5 @@ dmypy.json
 *.key
 *.crt
 *secrets.ini
+*secrets.config
 *client.conf

README.md

@@ -1,5 +1,5 @@
 # truenas-kmip-unlocker
-Encrytped secrets are stored within the [secrets.ini](secrets.ini.sample) file.
+Encrytped secrets are stored within the secrets.config file.
 
 **This will work with native zfs encryption but it will only unlock the top encrypted dataset and the children must be encrypted with the same passphrase. This continues to support GELI encrpyted pools.**
 
@@ -26,11 +26,12 @@ suppress_ragged_eofs=True
 #### Encrypt your secrets
 * Encrypt your api key for truenas
 * Encrypt the passphrase for your pool/dataset
+* Select jail storage pool
 * Encrypt your remaining pool/dataset passphrases as needed
 
-Run the following command to encrypt your secrets, it will ask for your pool/dataset passphrase that you want to encrypt and to confirm it before outputting the encrypted passphrase.  Take the encrypted secret and create a new section in the config ini file for the pool/dataset; your encrypted api key goes into the DEFAULT section.  The section name will be the pool/dataset name and the only key in that section is the encrypted_key which will be this value.
+Run the following command to configure your API, jail storage pool, and pool names and passphrases.
 ```shell
-python truenas-kmip-unlock.py --encrypt
+python truenas-kmip-unlock.py --config
 ```
 
 #### Create Task   
@@ -40,7 +41,7 @@ python /root/truenas-kmip-unlocker/truenas-kmip-unlock.py
 ```
 
 #### Debugging
-Nothing is logged to a file for this. Everything is output to the console. To enabled debug mode, pass the **[-v|--verbose]** argument when running the command. If the verbose argument is passed in, all passphrases will be outputted in plain text to the console.  This is to ensure the decryption is working correctly.
+Nothing is logged to a file for this. Everything is output to the console. To enabled debug mode, pass the **[-v|--verbose]** argument when running the command. 
 ```python
 python /root/truenas-kmip-unlocker/truenas-kmip-unlock.py --verbose
 ```

secrets.ini.sample

@@ -1,14 +0,0 @@
-# THIS IS A SAMPLE FILE, PLEASE COPY IT AND EDIT THE COPY
-
-# INI secrets file holds the encrypted secrest for the script
-# the default section holds the encrypted api key and then the other sections are the pool/datasets names and encrypted keys to unlock the pools/datasets
-# the section name is the name of the pool/dataset
-# only one variable should be in each section called encrypted_key
-# example
-#[DEFAULT]
-#encrypted_api_key = encrypted_api_key goes here
-#[media]
-#encrypted_key = some encrypted key goes here
-#
-[DEFAULT]
-encrypted_api_key = 

truenas_kmip_unlock.py

@@ -6,48 +6,95 @@ import logging
 import sys
 import secrets
 import base64
-import optparse
+import argparse
 import configparser
-import requests
+import getpass
+from truenas_api_client import Client
 import platform
 import subprocess
-import simplejson as json
-import urllib3
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+import time
+try:
+    import simplejson as json
+except ImportError:
+    import json
+import hmac as pyhmac
+import datetime
 
-from getpass import getpass
 from kmip.core import enums
 from kmip.demos import utils
 from kmip.pie import client
 
 
-def request(resource, api_key, method='GET', data=None):
-    if data is None:
-       data = ''
-    else:
-        data = json.dumps(data)
-    url = 'https://127.0.0.1/api/v2.0/{}'.format(resource)
-    logger.debug('Request URL: {}'.format(url))
-    logger.debug('Request Data: {}'.format(data))
-    r = requests.request(
-        method,
-        url,
-        data=data,
-        headers={'Content-Type': 'application/json', 'Authorization': 'Bearer {}'.format(api_key)},
-        verify=False
+def build_logger(level):
+    logger = logging.getLogger()
+    logger.setLevel(level)
+    formatter = logging.Formatter(
+        '%(asctime)s - %(levelname)s - %(message)s'
     )
-    logger.debug('Request Status Code: {}'.format(r.status_code))
-    if r.ok:
-        try:
-            logger.debug('Request Returned JSON: {}'.format(r.json()))
-            return {'ok': r.ok, 'status_code': r.status_code, 'response': r.json()}
-        except:
-            logger.debug('Request Returned Text: {}'.format(r.text))
-            return {'ok': r.ok, 'status_code': r.status_code, 'response': r.text}
-    raise ValueError(r)
+    # log to file
+    #fileHandler = logging.FileHandler(log_file)
+    #fileHandler.setFormatter(formatter)
+    #logger.addHandler(fileHandler)
+    # log to console
+    consoleHandler = logging.StreamHandler()
+    consoleHandler.setFormatter(formatter)
+    logger.addHandler(consoleHandler)
 
+    return logger
 
-def create_key(client):
+def write_config_file(array, config_file):
+    logger.debug("Starting to write config file and encrypt contents")
+    logger.debug("Using config file: {}".format(config_file))
+    logger.debug("Converting config from array to json")
+    array_json = json.dumps(array)
+    logger.debug("Encrypting config json")
+    encrypted_array_json = encrypt(array_json)
+    logger.debug("Attempting to write encrypted config to file")
+    try:
+        f = open(config_file, "w")
+        #f.write(array_json)
+        f.write(encrypted_array_json)
+        f.close()
+        logger.debug("Successfully wrote encrypted config to file")
+    except Exception as e:
+        logger.error("Unable to write encrypted config to file. Error: {}".format(e))
+        sys.exit(-1)
+    logger.debug("Finshed writing config file and encrypting contents")
+
+def read_config_file(config_file):
+    logger.debug("Starting to read config file and decrypt contents")
+    logger.debug("Using config file: {}".format(config_file))
+    logger.debug("Attempting to read encrypted config from file")
+    try:
+        with open(config_file) as f:
+            config = f.read()
+        logger.debug("Successfully read encrypted config from file")
+    except Exception as e:
+        logger.error("Unable to read encrypted config from file. Error: {}".format(e))
+        sys.exit(-1)
+    logger.debug("Decrypting config contents")
+    decrypted_array_json = decrypt(config)
+    logger.debug("Convert config from json to array")
+    #array = json.loads(config)
+    array = json.loads(decrypted_array_json)
+    logger.debug("Finished reading config file and decrypting contents")
+    return array
+
+def ask_for_confirmation(question):
+    logger.debug("Asking user for confirmation")
+    logger.debug("Question: {}".format(question))
+    print(question)
+    while True:
+        confirmation = input("y/n> ")
+        logger.debug("User answered: {}".format(confirmation))
+        if confirmation.casefold() == "y":
+            return True
+        elif confirmation.casefold() == "n":
+            return False
+        else:
+           print("This value must be one of the following characters: y, n.")
+
+def create_encryption_key():
     # Create an encryption key.
     try:
         key_id = client.create(
@@ -59,9 +106,9 @@ def create_key(client):
             ]
         )
         logger.debug("Successfully created a new encryption key.")
-        logger.debug("Secret ID: {}".format(key_id))
+        logger.debug("Encryption Key ID: {}".format(key_id))
     except Exception as e:
-        logger.error(e)
+        logger.error("Unable to create encryption key. Error: {}".format(e))
         sys.exit(-1)
 
     # Activate the encryption key so that it can be used.
@@ -70,13 +117,39 @@ def create_key(client):
         logger.debug("Successfully activated the encryption key.")
         return key_id
     except Exception as e:
-        logger.error(e)
+        logger.error("Unable to activate encryption key. Error: {}".format(e))
+        sys.exit(-1)
+        
+def create_hmac_key():
+    # Create an encryption key.
+    try:
+        key_id = client.create(
+            enums.CryptographicAlgorithm.AES,
+            256,
+            cryptographic_usage_mask=[
+                enums.CryptographicUsageMask.MAC_GENERATE,
+                enums.CryptographicUsageMask.MAC_VERIFY
+            ]
+        )
+        logger.debug("Successfully created a new HMAC key.")
+        logger.debug("HMAC Key ID: {}".format(key_id))
+    except Exception as e:
+        logger.error("Unable to create hmac key. Error: {}".format(e))
         sys.exit(-1)
 
-def encrypt(client, data):
+    # Activate the HMAC key so that it can be used.
+    try:
+        client.activate(key_id)
+        logger.debug("Successfully activated the HMAC key.")
+        return key_id
+    except Exception as e:
+        logger.error("Unable to activate hmac key. Error: {}".format(e))
+        sys.exit(-1)
+
+def encrypt(data):
     try:
         data = data.encode('UTF-8')
-        key_id = create_key(client)
+        key_id = create_encryption_key()
         iv = secrets.token_bytes(16)
         cipher_text, autogenerated_iv = client.encrypt(
             data,
@@ -91,34 +164,54 @@ def encrypt(client, data):
                 iv
             )
         )
-        logger.debug("Successfully encrypted the data: {}".format(data))
-        cipher_text_base64_bytes = base64.b64encode(cipher_text)
-        cipher_text_base64 = cipher_text_base64_bytes.decode('ascii')
-        logger.debug("Cipher text (raw): {}".format(cipher_text))
-        logger.debug("Cipher txt (encoded): {}".format(cipher_text_base64))
-        logger.debug("IV (raw): {}".format(iv))
-        iv_base64_bytes = base64.b64encode(iv)
-        iv_base64 = iv_base64_bytes.decode('ascii')
-        logger.debug("IV (encoded): {}".format(iv_base64))
-        padded_key_id = str(key_id).zfill(9) 
-        logger.debug("Padding Key ID {} with zeros: {}".format(key_id,padded_key_id))
-        cipher_data = base64.b64encode(padded_key_id.encode('UTF-8') + iv + cipher_text).decode()
-        logger.debug("padded_key_id + iv + cipher_text (encoded): {}".format(cipher_data))
-        return cipher_data
+        hmac_key_id, hmac = client.mac(
+            key_id.encode() + iv + cipher_text,
+            uid = create_hmac_key(),
+            algorithm = enums.CryptographicAlgorithm.HMAC_SHA512
+        )
+        logger.debug("Successfully encrypted the data.")
+        array = dict()
+        array['version'] = 1
+        array['cipher_key_id'] = key_id
+        array['cipher_text'] = base64.b64encode(cipher_text).decode()
+        array['iv'] = base64.b64encode(iv).decode()
+        array['hmac_key_id'] = hmac_key_id
+        array['hmac'] = base64.b64encode(hmac).decode()
+        logger.debug("Dict of info: {}".format(array))
+        array_json = json.dumps(array)
+        array_json_b64 = base64.b64encode(array_json.encode('utf-8')).decode()
+        return array_json_b64
     except Exception as e:
-        logger.error(e)
+        logger.error("Unable to encrypt data. Error: {}".format(e))
+        sys.exit(-1)
 
-def decrypt(client, data):
+def decrypt(data):
+    array_json = base64.b64decode(data)
+    array = json.loads(array_json)
+    if array['version'] == 1:
+        return decrypt_v1(array)
+    else:
+        logger.error("Unable to detemine encryption version.")
+        return False
+            
+def decrypt_v1(array):
     try:
-        cipher_data = base64.b64decode(data)
-        padded_key_id = cipher_data[:9].decode('UTF-8')
-        iv = cipher_data[9:25]
-        cipher_text = cipher_data[25:]
-        logger.debug("Removing padding from Key ID: {}".format(padded_key_id))
-        key_id = padded_key_id.lstrip('0')
-        logger.debug("Decrypting with Key ID: {}".format(key_id))
-        logger.debug("Decrypting with IV (raw): {}".format(iv))
-        logger.debug("Decrypting cipher text (raw): {}".format(cipher_text))
+        logger.debug("Dict of info: {}".format(array))
+        key_id = array['cipher_key_id']
+        iv = base64.b64decode(array['iv'])
+        cipher_text = base64.b64decode(array['cipher_text'])
+        hmac_key_id = array['hmac_key_id']
+        hmac = base64.b64decode(array['hmac'])
+        hmac_key_id_test, hmac_test = client.mac(
+            key_id.encode() + iv + cipher_text,
+            uid = hmac_key_id,
+            algorithm = enums.CryptographicAlgorithm.HMAC_SHA512
+        )
+        if pyhmac.compare_digest(hmac, hmac_test):
+            logger.debug("HMAC matches.")
+        else:
+            logger.error("HMAC does not match, data is corrupted/tampered.")
+            sys.exit(-1) 
         plain_text = client.decrypt(
             cipher_text,
             uid=key_id,
@@ -134,118 +227,244 @@ def decrypt(client, data):
         )
         logger.debug("Successfully decrypted the data.")
         plain_text = plain_text.decode('utf-8')
-        logger.debug("Plain text: '{}'".format(plain_text))
         return plain_text
     except Exception as e:
-        logger.error(e)
+        logger.error("Unable to decrypt data. Error: {}".format(e))
+        sys.exit(-1)
 
+def new_pool_details():
+    print("Requesting pool details to add to config.")
+    pool_name = input("Please enter pool name: ")
+    while True:
+        pool_passphrase = getpass.getpass("Please enter pool encryption passphrase: ")
+        pool_passphrase_confirm = getpass.getpass("Please confirm pool encryption passphrase: ")
+        if pyhmac.compare_digest(pool_passphrase, pool_passphrase_confirm):
+            break
+        else:
+            print("The pool encryption passphrases do not match, please try again.")
+    
+    array = dict()
+    array[pool_name] = dict()
+    array[pool_name]["pool_passphrase"] = pool_passphrase
+    return array
 
+def edit_pool_details(pools, pool_to_edit):
+    if ask_for_confirmation("Would you like to edit the pool name?\nCurrent Value: {}".format(pool_to_edit)):
+        pool_name = input("Please enter pool name: ")
+    else:
+        pool_name = pool_to_edit
+
+    if ask_for_confirmation("Would you like to edit the pool encryption passphraset?"):
+        while True:
+            pool_passphrase = getpass.getpass("Please enter pool encryption passphrase: ")
+            pool_passphrase_confirm = getpass.getpass("Please confirm pool encryption passphrase: ")
+            if pyhmac.compare_digest(pool_passphrase, pool_passphrase_confirm):
+                break
+            else:
+                print("The pool encryption passphrases do not match, please try again.")
+    else:
+        pool_passphrase = pools[pool_to_edit]['pool_passphrase']
+
+    array = dict()
+    array[pool_name] = dict()
+    array[pool_name]["pool_passphrase"] = pool_passphrase
+    return array
+
+def select_pool(pools, wording = "edit"):
+    print("Which pool would you like to {}:".format(wording))
+    print(" ")
+    pool_names = list(pools)
+    for i in range(0, len(pools)):
+        pretty_number = i + 1
+        print("{}) {}".format(pretty_number, pool_names[i]))
+    print(" ")
+    while True:
+        pool_to_modify = int(input("Please enter number relating to the pool you wish to {}: ".format(wording))) - 1
+        try:
+            return pool_names[pool_to_modify]
+        except IndexError as error:
+            print("you entered a number out of range, please try again")
 
 if __name__ == '__main__':
-    # get directory of script
-    cwd = os.path.dirname(os.path.realpath(__file__))
-
     # Build and parse arguments
-    parser = utils.build_cli_parser(enums.Operation.DECRYPT)
-    parser.add_option(
-        "-e",
-        "--encrypt",
+    parser = argparse.ArgumentParser(
+        usage="{} [options]".format(os.path.basename(__file__)),
+        description="Run Truenas pool unlock operation.  This will unlock encrypted pools on truenas.")
+    parser.add_argument(
+        "-c",
+        "--config",
         action="store_true",
-        dest="encrypt",
-        help="Encrypt a passphrase/password."
+        dest="config",
+        help="Edit pools configuration."
     )
-    parser.add_option(
-        "-d",
-        "--decrypt",
-        action="store_true",
-        dest="decrypt",
-        help="Decrypt a passphrase/password."
-    )
-    parser.add_option (
+    #parser.add_argument(
+    #    "-r",
+    #    "--restartAppsVMs",
+    #    action="store_true",
+    #    dest="restartAppsVMs",
+    #    help="Restarts apps and VMs if running"
+    #)
+    parser.add_argument (
         "-v",
         "--verbose",
         action="store_true",
         dest="debug",
         help="Output debug/verbose info to the console for troubleshooting."
     )
-    opts, args = parser.parse_args(sys.argv[1:])
-    if opts.debug:
-        logger = utils.build_console_logger(logging.DEBUG)
-    else:
-        logger = utils.build_console_logger(logging.INFO)
-    config = opts.config
-    passphrase = opts.message
 
-    client = client.ProxyKmipClient(config=config, config_file=cwd + '/pykmip/client.conf')
-    client.open()
-    if opts.encrypt:
-        if not passphrase:
-            while True:
-                passphrase = getpass("Please enter your pool/dataset unlock passphrase to encrypt: ")
-                passphrase2 = getpass("Please enter the passphrase again: ")
-                if passphrase == passphrase2:
-                    break
-                else:
-                    print("The passphrases do not match, please try again.")
-        encrypted_passphrase = encrypt(client, passphrase)
-        print("Your encrypted passphrase: {}".format(encrypted_passphrase))
-        sys.exit(0)
-    elif opts.decrypt:
-        if not passphrase:
-            passphrase = input("Please enter the encryted passphrase to decrypt: ")
-        decrypted_passphrase = decrypt(client, passphrase)
-        print("Your decrypted passphrase: {}".format(decrypted_passphrase))
-        sys.exit(0)
+    opts = parser.parse_args()
+
+    script_directory = os.path.dirname(os.path.realpath(__file__))
+    script_name = os.path.basename(__file__)
+    secrets_config_file = os.path.join(script_directory, "secrets.config")
+    pykmip_client_config_file = os.path.join(script_directory, "conf", "client.conf")
+    log_file = os.path.join(script_directory, "log.log")
+    datetime_string = datetime.datetime.now().strftime("%Y%m%d-%H%M%S")
+
+    if opts.debug:
+        logger = build_logger(logging.DEBUG)
     else:
-        # run the decryption of the keys and unlock the pool
-        parser = configparser.ConfigParser()
-        parser.read(cwd + '/secrets.ini')
-        encrypted_api_key = parser.get('DEFAULT', 'encrypted_api_key')
-        api_key = decrypt(client, encrypted_api_key)
-        logger.debug("API Key: {}".format(api_key))
-        POOLS = request('pool', api_key)['response']
-        DATASETS = request('pool/dataset', api_key)['response']
-        for pool_dataset_name in parser.sections():
-            if pool_dataset_name != 'DEFAULT':
-                name = pool_dataset_name
-                encrypted_key = parser.get(name, 'encrypted_key')
-                logger.debug("Attempting to decrypt {} pool with encrypted key: {}".format(name,encrypted_key))
-                decrypted_key = decrypt(client, encrypted_key)
-                for pool in POOLS:
-                    if pool['name'] == name:
-                        # GELI encrypted pool
-                        if pool['encrypt'] == 2:
-                            if pool['is_decrypted'] == False:
-                                logger.info('Pool {} is locked'.format(pool['name']))
-                                response = request('pool/id/{}/unlock'.format(pool['id']), api_key, 'POST', {'passphrase': '{}'.format(decrypted_key), 'services_restart': ['cifs', 'nfs']})
-                                if response['ok']:
-                                    logger.info('Pool {} was unlocked successfully'.format(pool['name']))
-                                else:
-                                    logger.error('Pool {} was NOT unlocked successfully'.format(pool['name']))
-                            else:
-                                logger.info('Pool {} is already unlocked'.format(pool['name']))
-                        # start detection of locked zfs dataset
-                        elif pool['encrypt'] == 0:
-                            # loop through the datasets to find the one we are looking for
-                            for dataset in DATASETS:
-                                if dataset['name'] == name:
-                                    if dataset['locked'] == True:
-                                        logger.info('Dataset {} is locked'.format(dataset['name']))
-                                        response = request('pool/dataset/unlock',api_key, 'POST', {'id': '{}'.format(dataset['id']), 'unlock_options': {'recursive': True, 'datasets': [{'name': '{}'.format(dataset['name']), 'passphrase': '{}'.format(decrypted_key)}]}})
-                                        if response['ok']:
-                                            logger.info('Dataset {} was unlocked successfully'.format(dataset['name']))
-                                            # restart services since the dataset was unlocked
-                                            logger.info('Restarting the NFS service')
-                                            response = request('service/restart', api_key, 'POST', {'service': 'nfs'})
-                                            logger.info('Restarting the CIFS/SMB service')
-                                            response = request('service/restart', api_key, 'POST', {'service': 'cifs'})
-                                        else:
-                                            logger.error('Dataset {} was NOT unlocked successfully'.format(dataset['name']))
-                                    else:
-                                        logger.info('Dataset {} is already unlocked'.format(dataset['name']))
-                                    
-                    #print('pool {0} is decrypted: {1}'.format(pool['name'],pool['is_decrypted']))
-                # this line should be after the actual unlock on the disk
-                #logger.debug("Decrypted {0} pool key.".format(name))
-        sys.exit(0)
-    client.close()
+        logger = build_logger(logging.INFO)
+
+    client = client.ProxyKmipClient(config_file=pykmip_client_config_file)
+    client.open()    
+
+    if opts.config:
+        while True:
+            if not os.path.exists(secrets_config_file):
+                print("No pools found, do you want to add a new one?")
+                print(" ")
+                print("n) New config")
+                print("q) Quit config")
+                while True:
+                    user_input = input("n/q> ")
+                    if user_input.casefold() == "n":
+                        config = dict()
+                        config['URI'] = input("Please enter your hostname or IP address (default: localhost): ") or "localhost"
+                        if ask_for_confirmation("Would you like to verify the TLS cert?"):
+                            config['Verify TLS'] = True
+                        else:
+                            config['Verify TLS'] = False
+                        config['API Key'] = input("Please enter your API key: ")
+                        config['Pools'] = new_pool_details()
+                        write_config_file(config, secrets_config_file)
+                        break
+                    elif user_input.casefold() == "q":
+                        sys.exit(0)
+                    else:
+                        print("This value must be one of the following characters: n, q.")
+            while True:
+                config = read_config_file(secrets_config_file)
+                print("Current pools:")
+                print(" ")
+                for pool in config['Pools']:
+                    print(pool)
+                print(" ")
+                print("URI: {}".format(config['URI']))
+                print("Verify TLS Cert: {}".format(config['Verify TLS']))
+                print(" ")
+                print("h) Edit Host, TLS, and API Key")
+                print("e) Edit pool")
+                print("n) New pool")
+                print("d) Delete pool")
+                print("q) Quit config")
+                user_input = input("h/e/n/d/q> ")
+                # Edit Host, TLS, and API Key
+                if user_input.casefold() == "h":
+                    if ask_for_confirmation("Would you like to edit the hostname or IP address?\nCurrent Value: {}".format(config['URI'])):
+                        config['URI'] = input("Please enter your hostname or IP address: ")
+                    if ask_for_confirmation("Would you like to edit verify TLS cert?\nCurrent Value: {}".format(config['Verify TLS'])):
+                        if ask_for_confirmation("Would you like to verify the TLS cert?"):
+                            config['Verify TLS'] = True
+                        else:
+                            config['Verify TLS'] = False
+                    if ask_for_confirmation("Would you like to edit the API key?"):
+                        config['API Key'] = input("Please enter your API key: ")
+                    write_config_file(config, secrets_config_file)
+                # Editing a pool
+                elif user_input.casefold() == "e":
+                    pool_to_edit = select_pool(config['Pools'])
+                    pool_details = edit_pool_details(config['Pools'], pool_to_edit)
+                    del config['Pools'][pool_to_edit]
+                    config['Pools'].update(pool_details)
+                    write_config_file(config, secrets_config_file)
+                    break
+                # Createing a new pool
+                elif user_input.casefold() == "n":
+                    pool_details = new_pool_details()
+                    config['Pools'].update(pool_details)
+                    write_config_file(config, secrets_config_file)
+                    break
+                # Deleting a pool
+                elif user_input.casefold() == "d":
+                    pool_to_delete = select_pool(config['Pools'], "delete")
+                    if not ask_for_confirmation("Are you sure you wish to delete {} pool? ".format(pool_to_delete)):
+                        break
+                    del config['Pools'][pool_to_delete]
+                    if len(config['Pools']) == 0:
+                        if ask_for_confirmation("There are no pools left in the config, do you want to remove the secrets file?"):
+                            # no more accounts, remove secrets file if requests
+                            os.remove(secrets_config_file)
+                    else:
+                        write_config_file(config, secrets_config_file)
+                    break
+
+                # Quit the config
+                elif user_input.casefold() == "q":
+                    sys.exit(0)
+                
+                # Catch all for non-valid characters
+                else:
+                    print("This value must be one of the following characters: h, e, n, d, q")    
+    
+    if not os.path.exists(secrets_config_file):
+        print("No configuration file found. Please run {} -c/--config for configuration".format(script_name))
+        sys.exit(-1)
+    # run the decryption of the keys and unlock the pool
+    config = read_config_file(secrets_config_file)
+    URI = config['URI']
+    VERIFY_TLS  = config['Verify TLS']
+    API_KEY = config['API Key']
+    # Services excluded from being reloaded
+    EXCLUDED_SERVICES = ["ssh", "snmp", "ups"]
+    with Client(uri="wss://{}/api/current".format(URI), verify_ssl=VERIFY_TLS) as c:
+        if c.call("auth.login_with_api_key", API_KEY):
+            logger.debug('Successfully logged into {}'.format(URI))
+        else:
+            logger.error('Unable to login to {}'.format(URI))
+        SYSTEM_INFORMATION = c.call("system.info")
+        logger.debug('System Info: {}'.format(SYSTEM_INFORMATION))
+        POOL_DATASETS = c.call("pool.dataset.details")
+        logger.debug('Pool Datasets: {}'.format(POOL_DATASETS))
+        for config_pool in config['Pools']:
+            config_pool_name = config_pool
+            pool_passphrase = config['Pools'][config_pool_name]['pool_passphrase']
+            logger.info("Attempting to unlock {} pool".format(config_pool_name))
+            for pool_dataset in POOL_DATASETS:
+                pool_name = pool_dataset['name']
+                if pool_name == config_pool_name:
+                    pool_encrypted = pool_dataset['encrypted']
+                    pool_unlocked = pool_dataset['key_loaded']
+                    if pool_encrypted == True and pool_unlocked == False:
+                        logger.info('Dataset {} is locked'.format(pool_name))
+                        unlock_args = {"datasets": [{"name": pool_name, "passphrase": pool_passphrase}]}
+                        
+                        unlock_status = c.call("pool.dataset.unlock", pool_name, unlock_args, job=True)
+                        # return will look like this: {'unlocked': ['test'], 'failed': {}}
+                        if pool_name in unlock_status.get('unlocked', []):
+                            logger.info('Dataset {} was unlocked successfully'.format(pool_name))
+                        else:
+                            logger.error('Dataset {} was NOT unlocked'.format(pool_name))
+                    else:
+                        logger.info('Dataset {} is already unlocked'.format(pool_name))
+        services = c.call("service.query")
+        for service in services:
+            if service['enable'] and service['enable'] == "RUNNING" and service['service'] not in EXCLUDED_SERVICES:
+                logger.debug('Service {} is enabled'.format(service['service']))
+                reloaded = c.call("service.control", "RELOAD", service['service'], job=True)
+                if reloaded:
+                    logger.info('Service {} successfully reloaded'.format(service['service']))
+                else:
+                    logger.error('Service {} was NOT reloaded'.format(service['service']))
+    client.close()
+    sys.exit(0)