Encrypted Preshared Key
|
|||||||
Contents
Encrypted Preshared KeyLast Updated: July 16, 2012
The Encrypted Preshared Key feature allows you to securely store plain text passwords in type 6 (encrypted) format in NVRAM. Finding Support Information for Platforms and Cisco IOS Software ImagesUse Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp . You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Finding Feature InformationYour software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Restrictions for Encrypted Preshared Key
Information About Encrypted Preshared Key
Using the Encrypted Preshared Key Feature to Securely Store PasswordsUsing the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryptioncommand with the password encryption aescommand to configure and enable the password (symmetric cipher AES is used to encrypt the keys). The password (key) configured using the config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router. If you configure the password encryption aescommand without configuring the key config-key password-encryptioncommand, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured: "Can not encrypt password. Please configure a configuration-key with 'key config-key'"
Changing a PasswordIf the password (master key) is changed, or reencrypted, using the key config-key password-encryptioncommand), the list registry passes the old key and the new key to the application modules that are using type 6 encryption. Deleting a PasswordIf the master key that was configured using the key config-key password-encryptioncommand is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Unconfiguring Password EncryptionIf you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryptioncommand exists, the type 6 passwords will be decrypted as and when required by the application. Storing PasswordsBecause no one can "read" the password (configured using the key config-key password-encryptioncommand), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryptioncommand). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration. Configuring New or Unknown PasswordsIf you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows: "ciphertext>[for username bar>] is incompatible with the configured master key." If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is. If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryptioncommand. Deleting the master key using the no key config-key password-encryptioncommand causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted. How to Configure an Encrypted Preshared Key
Configuring an Encrypted Preshared Key
SUMMARY STEPS
DETAILED STEPS Troubleshooting TipsIf you see the warning message "ciphertext >[for username bar>] is incompatible with the configured master key," you have entered or cut and pasted cipher text that does not match the master key or there is no master key. (The cipher text will be accepted or saved.) The warning message will allow you to locate the broken configuration line or lines. Monitoring Encrypted Preshared KeysTo get logging output for encrypted preshared keys, perform the following steps.
DETAILED STEPS ExamplesThe following password logging debug output shows that a new master key has been configured and that the keys have been encrypted with the new master key: Router (config)# key config-key password-encrypt New key: Confirm key: Router (config)# 01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys with the new master keypas Router (config)# key config-key password-encrypt Old key: New key: Confirm key: Router (config)# 01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keys with the new master key 01:42:11: TYPE6_PASS: Mac verification successful 01:42:11: TYPE6_PASS: Mac verification successful 01:42:11: TYPE6_PASS: Mac verification successful Configuring an ISAKMP Preshared Key
SUMMARY STEPS
DETAILED STEPS Configuring an ISAKMP Preshared Key in ISAKMP KeyringsTo configure an ISAKMP preshared key in ISAKMP keyrings, which are used in IPSec Virtual Route Forwarding (VRF) configurations, perform the following procedure. DETAILED STEPS ExampleThe following show-running-config sample output shows that an encrypted preshared key in ISAKMP keyrings has been configured. crypto keyring mykeyring pre-shared-key address 10.2.3.5 key 6 `WHCJYR_Z]GRPF^RXTQfDcfZ]GPAAB pre-shared-key hostname mydomain.com key 6 aE_REHDcOfYCPF^RXTQfDJYVVNSAAB Configuring ISAKMP Aggressive Mode
SUMMARY STEPS
DETAILED STEPS Configuring a Unity Server Group Policy
SUMMARY STEPS
DETAILED STEPS Configuring an Easy VPN Client
SUMMARY STEPS
DETAILED STEPS Configuration Examples for Encrypted Preshared Key
Encrypted Preshared Key ExampleThe following is an example of a configuration for which a type 6 preshared key has been encrypted. It includes the prompts and messages that a user might see. Router (config)# crypto isakmp key cisco address 10.0.0.2 Router (config)# exit Router# show running-config | include crypto isakmp key crypto isakmp key cisco address 10.0.0.2 Router# Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router (config)# password encryption aes Router (config)# key config-key password-encrypt New key: Confirm key: Router (config)# 01:46:40: TYPE6_PASS: New Master key configured, encrypting the keys with the new master key Router (config)# exit Router # show running-config | include crypto isakmp key crypto isakmp key 6 CXWdhVTZYB_Vcd^`cIHDOahiFTa address 10.0.0.2 Key Already Exists But the User Wants to Key In Interactively ExampleIn the following configuration example, the user wants to key in interactively, but a key already exists. The Old key, New key, and Confirm key prompts will show on your screen if you enter the key config-key password-encryptioncommand and press the enter key to get into interactive mode.
Router (config)# key config-key password-encryption
Old key:
New key:
Confirm key:
Removal of the Password Encryption ExampleIn the following configuration example, the user wants to remove the encrypted password. The "WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion? [yes/no]:" prompt will show on your screen if you are in interactive mode. Router (config)# no key config-key password-encryption WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion ? [yes/no]: y Additional ReferencesMIBsTechnical Assistance
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
|
|||||||