AES Password Encryption and Master Encryption Keys
You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a master encryption key, which is used to encrypt and decrypt passwords.
After you enable AES password encryption and configure a master key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords.
Virtualization Support for Password Encryption
The master key used with the AES password encryption feature is unique for each VDC.
For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.
Licensing Requirements for Password Encryption
The following table shows the licensing requirements for this feature:
Password encryption requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you.
For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Guidelines and Limitations for Password Encryption
Password encryption has the following configuration guidelines and limitations:
Only users with administrator privilege (network-admin or vdc-admin) can configure the AES password encryption feature, associated encryption and decryption commands, and master keys.
RADIUS and TACACS+ are the only applications that can use the AES password encryption feature.
Configurations containing type-6 encrypted passwords are not rollback compliant.
You can enable the AES password encryption feature without a master key, but encryption starts only when a master key is present in the system.
Deleting the master key stops type-6 encryption and causes all existing type-6 encrypted passwords to become unusable, unless the same master key is reconfigured.
Before you downgrade from Cisco NX-OS Release 5.2 to an earlier release, decrypt all type-6 passwords, disable the AES password encryption feature, and delete the master key.
To move the device configuration to another device, either decrypt the configuration before porting it to the other device or configure the same master key on the device to which the configuration will be applied.
Default Settings for Password Encryption
This table lists the default settings for password encryption parameters.
Configuring a Master Key and Enabling the AES Password Encryption Feature
You can configure a master key for type-6 encryption and enable the Advanced Encryption Standard (AES) password encryption feature.
1. [no] key config-key ascii
3.[no] feature password encryption aes
4. (Optional) show encryption service stat
5.copy running-config startup-config
Command or Action
[no] key config-key ascii
switch# key config-key ascii
New Master Key:
Retype Master Key:
Configures a master key to be used with the AES password encryption feature. The master key can contain between 16 and 32 alphanumeric characters. You can use the no form of this command to delete the master key at any time.
If you enable the AES password encryption feature before configuring a master key, a message appears stating that password encryption will not take place unless a master key is configured. If a master key is already configured, you are prompted to enter the current master key before entering a new master key.
switch# configure terminal
Enters global configuration mode.
[no] feature password encryption aes
switch(config)# feature password encryption aes
Enables or disables the AES password encryption feature.
show encryption service stat
switch(config)# show encryption service stat
Displays the configuration status of the AES password encryption feature and the master key.