Downloads |
Table Of Contents
Prerequisites for Protected Private Key Storage
Restrictions for Protected Private Key Storage
Information About Protected Private Key Storage
Functionality Overview: Encrypting and Locking Private Keys on a Router
How to Configure Protected Private Keys on a Router
Encrypting and Locking Private Keys on a Router
Configuration Examples for Protected and Locked Private Keys
Configuring and Verifying an Encrypted Key: Example
Configuring and Verifying a Locked Key: Example
Protected Private Key Storage
The Protected Private Key Storage feature allows a user to encrypt and lock the RSA private keys that are used on a Cisco IOS router, thereby, preventing unauthorized use of the private keys.
Feature History for Protected Private Key Storage
12.3(7)T
This feature was introduced.
12.2(18)SXE
This feature was integrated into Cisco IOS Release 12.2(18)SXE.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Protected Private Key Storage
•
•
•
•
Prerequisites for Protected Private Key Storage
Your router must be running a Cisco IOS image that contains support for RSA keys.
Restrictions for Protected Private Key Storage
Backward Compatibility Restriction
Any image prior to Cisco IOS Release 12.3(7)T does not support the encrypted key. To prevent your router from losing all encrypted keys, ensure that only unencrypted keys are written to NVRAM before booting up an image prior to Cisco IOS Release 12.3(7)T.
If you must download an image prior to Cisco IOS Release 12.3(7)T, decrypt the key and immediately save the configuration so the downloaded image does not overwrite the configuration.
Interaction With Applications
An encrypted key is not effective after the router boots up until you manually unlock the key (via the crypto key unlock rsa command). Depending on which key pairs are encrypted, this functionality may adversely affect applications such as IP Security (IPSec), Secure Shell (SSH) and Secure Socket Layer (SSL); that is, management of the router over a secure channel may not be possible until the necessary key pair is unlocked.
Information About Protected Private Key Storage
To use protected private keys, you should understand the following concept:
•
Functionality Overview: Encrypting and Locking Private Keys on a Router
Digital signatures are a common method used to authenticate one device to another device. Certificates provide a key distribution mechanism that is required by digital signatures and public key cryptography. To use digital signatures, private information (the private key) must be stored on the device that is providing the signature. The stored private information may aid an attacker who steals the hardware device that contains the private key; for example, an attack may be able to cause the router to initiate a secure connection to another site by using the RSA private keys stored in the router.
The Protected Private Key Storage feature allows a user to encrypt the private key that is stored in NVRAM via a passphrase. In addition, users can also "lock" the private key, which blocks new connection attempts from a running router and protects the key in the router if the router is stolen by an attempted attacker.
How to Configure Protected Private Keys on a Router
This section contains the following procedures:
•
Encrypting and Locking Private Keys on a Router
Use this task to encrypt and lock the private key that is saved to NvRAM.
Prerequisites
Before you can encrypt or lock a private key, you should perform the following tasks:
•
•
Note
Restrictions
Passphrase Limitations
If a passphrase is lost, you must regenerate the key, enroll with the CA server again, and obtain a new certificate. A lost passphrase cannot be recovered.
If you want to change a passphrase, you must decrypt the key with the current passphrase via the crypto key decrypt rsa command and encrypt the key once more to specify the new passphrase.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuration Examples for Protected and Locked Private Keys
This section contains the following configuration examples:
•
•
Configuring and Verifying an Encrypted Key: Example
The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234Router(config)# exitRouter# show crypto key mypubkey rsa% Key pair was generated at:00:15:32 GMT Jun 25 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC
23C4D09E
03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001
% Key pair was generated at:00:15:33 GMT Jun 25 2003
Key name:pki1-72a.cisco.com.server
Usage:Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383
854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757
3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4
DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001
Router#Configuring and Verifying a Locked Key: Example
The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234!Router# show crypto key mypubkey rsa% Key pair was generated at:20:29:41 GMT Jun 20 2003Key name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and LOCKED. ***Key is exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9FB6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001
Additional References
The following sections provide references related to Protected Private Key Storage.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents only new and modified commands.
crypto key decrypt rsa
To delete the encrypted RSA key and leave only the unencrypted key on the running router, use the crypto key decrypt rsa command in global configuration mode.
crypto key decrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
The private key running on the router is encrypted.
Command Modes
Global configuration
Command History
12.3(7)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
Use the crypto key decrypt rsa command to store the decrypted private key in NvRAM the next time NvRAM is written (which is immediately if the write keyword is issed).
Examples
The following example shows how to decrypt the RSA key "pki1-72a.cisco.com":
Router(config)# crypto key decrypt write rsa name pki1-72a.cisco.com passphrase cisco1234Related Commands
crypto key encrypt rsa
Encrypts the RSA private key.
show crypto key mypubkey rsa
Displays the RSA public keys of your router.
crypto key encrypt rsa
To encrypt the RSA private key, use the crypto key encrypt rsa command in global configuration mode.
crypto key encrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
RSA keys are not encrypted.
Command Modes
Global configuration
Command History
12.3(7)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
The private key is encrypted (protected) via the specified passphrase. After the key is protected, it may continue to be used by the router; that is Internet Key Exchange (IKE) tunnels and encrypted key export attempts should continue to work because the key remains "unlocked."
To lock the key, which can be used to disable the router, issue the crypto key lock rsa privileged EXEC command. (When you lock the encrypted key, all functions which use the locked key are disabled.)
Examples
The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted and unlocked.
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234Router(config)# exitRouter# show crypto key mypubkey rsa% Key pair was generated at:00:15:32 GMT Jun 25 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC
23C4D09E
03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001
% Key pair was generated at:00:15:33 GMT Jun 25 2003
Key name:pki1-72a.cisco.com.server
Usage:Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383
854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757
3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4
DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001
Router#Related Commands
crypto key lock rsa
To lock the RSA private key in a router, use the crypto key lock rsa command in privileged EXEC mode.
crypto key lock rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
RSA keys are encrypted, but not locked.
Command Modes
Privileged EXEC
Command History
12.3(7)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
When the crypto key lock rsa command is issued, the unencrypted copy of the key is deleted. Because the private key is not available, all RSA operations will fail.
This command affects only the "run-time" access to the key; that is, it does not affect the key that is stored in NVRAM.
Examples
The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234!Router# show crypto key mypubkey rsa% Key pair was generated at:20:29:41 GMT Jun 20 2003Key name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and LOCKED. ***Key is exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9FB6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001Related Commands
crypto key unlock rsa
To unlock the RSA private key in a router, use the crypto key unlock rsa command in privileged EXEC mode.
crypto key unlock rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
The encrypted private key is locked.
Command Modes
Privileged EXEC
Command History
12.3(7)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
When a router with an encrypted RSA key (via the crypto key encrypt rsa command) initially boots up, the key does not exist in plain text and is therefore considered to be locked. Because the private key is not available, all RSA operations will fail. After you unlock the private key, RSA operations will function again.
This command affects only the "run-time" access to the key; that is, it does not affect the key that is stored in NVRAM.
Examples
The following example shows how to unlock the key "pki1-72a.cisco.com":
Router# crypto key unlock rsa name pki1-72a.cisco.com passphrase cisco1234Related Commands
show crypto key mypubkey rsa
To display the RSA public keys of your router, use the show crypto key mypubkey rsa command in privileged EXEC mode.
show crypto key mypubkey rsa
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays your router's RSA public keys.
Examples
The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.
% Key pair was generated at: 06:07:49 UTC Jan 13 1996Key name: myrouter.example.comUsage: Signature KeyKey Data:005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB2204AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001% Key pair was generated at: 06:07:50 UTC Jan 13 1996Key name: myrouter.example.comUsage: Encryption KeyKey Data:00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D518242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234Router(config)# exitRouter# show crypto key mypubkey rsa% Key pair was generated at:00:15:32 GMT Jun 25 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC
23C4D09E
03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001
% Key pair was generated at:00:15:33 GMT Jun 25 2003
Key name:pki1-72a.cisco.com.server
Usage:Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383
854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757
3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4
DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001
Router#The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234!Router# show crypto key mypubkey rsa% Key pair was generated at:20:29:41 GMT Jun 20 2003Key name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and LOCKED. ***Key is exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9FB6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001Related Commands
crypto key encrypt rsa
Encrypts the RSA private key.
crypto key generate rsa (IKE)
Generates RSA key pairs.
crypto key lock rsa
Locks the RSA private key in a router.
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
