Secure Stored Pre-shared Keys in a Router

Available Languages

Download Options

  • PDF     (30.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (80.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (66.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 24, 2026
Document ID:46420

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to set up encryption of both current and new pre-shared keys in a router.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on this software version:

  • Cisco IOS XE® Software Release 16.9

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Conventions

Refer to the  Cisco Technical Tips Conventions  for more information on document conventions.

Background Information

Cisco IOS Software Release 12.3(2)T code introduces the functionality that allows the router to encrypt the Internet Security Association and Key Management Protocol (ISAKMP) pre-shared key in secure type 6 format in Non-Volatile RAM (NVRAM). The pre-shared key to be encrypted can be configured either as standard, under an ISAKMP key ring, in aggressive mode, or as the group password under an Easy Virtual Private Network (EzVPN) server or client setup. 

Configure

This section presents you with the information you can use to configure the features this document describes.

These two commands were introduced in order to enable pre-shared key encryption:

  • key config-key password-encryption [primary key]

  • password encryption aes

The [primary key] is the password/key used to encrypt all other keys in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher. The primary key is not stored in the router configuration and cannot be seen or obtained in any way while connected to the router.

Once configured, the primary key is used to encrypt any current or new keys in the router configuration. If the [primary key] is not specified on the command line, the router prompts the user to enter the key and to re-enter it for verification. If a key already exists, the user is prompted to enter the old key first. Keys are not encrypted until you issue the password encryption aes command.

The primary key can be changed (although this is not necessary unless the key has become compromised in some way) with the key config-key password-encryption command again with the new [primary-key].  Any current encrypted keys in the router configuration are re-encrypted with the new key.

You can delete the primary key when you issue theno key config-key password-encryptionHowever, this renders all currently configured keys in the router configuration useless (a warning message displays that details this and confirms the primary key deletion). Since the primary key no longer exists, the type 6 passwords cannot be decrypted and used by the router.

note-icon

Note: For security reasons, neither the removal of the primary key, nor the removal of the password encryption aes command decrypts the passwords in the router configuration. Once passwords are encrypted, they are not decrypted. Current encrypted keys in the configuration can still be decrypted provided the primary key is not removed.

Additionally, in order to see debug-type messages of password encryption functions, use thepassword logging command in the configuration mode.

Configurations

This document uses these configurations on the router:

Encrypt the Current Pre-shared Key 
Router#show running-config 
Building configuration...
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key cisco123 address 10.1.1.1
!
<output omitted>
!
end

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#key config-key password-encrypt testkey123
Router(config)#password encryption aes
Router(config)#^Z
Router#
Router#show running-config 
Building configuration...
!
!
password encryption aes
!
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 6 FLgBaJHXdYY_AcHZZMgQ_RhTDJXHUBAAB address 10.1.1.1
!
<output omitted>
!
end
Add a New Primary Key Interactively 
Router(config)#key config-key password-encrypt 
New key: <enter key>
Confirm key: <confirm key>
Router(config)#
Modify the Current Primary Key Interactively 
Router(config)#key config-key password-encrypt
 Old key: <enter current key>
New key: <enter new key>
Confirm key: <confirm new key>
Router(config)#
*Jan  7 01:42:12.299: TYPE6_PASS: Master key change heralded, re-encrypting the keys with the new primary key
Delete the Primary Key 
Router(config)#no key config-key password-encrypt 
WARNING: All type 6 encrypted keys will become unusable
Continue with primary key deletion ? [yes/no]: yes
Router(config)#

Verify

There is currently no verification procedure available for this configuration.

Related Information

Revision History

Revision Publish Date Comments
5.0
24-Apr-2026
Recertification
1.0
19-Jan-2006
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products