Cisco Systems, Inc.(R)    Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
Encrypt the Pre-shared Keys on Cisco Routers
Home > Work With My Routers > Cisco Routers > Encrypt the Pre-shared Keys on Cisco Routers  
 

Encrypt the Pre-shared Keys on Cisco Routers

     Introduction
     Requirements
     Connect to the Router
     Encrypt the Pre-shared key
     Encrypt the Pre-shared key Interactively
     Modify the Existing Master Key Interactively
     Delete the Master Key
     Next Step
     Troubleshoot the Procedure
     Related Information

Download PDF


 		 Encrypt the Pre-shared Keys on Cisco Routers 


Introduction

This document explains how to encrypt the pre-shared key on your Cisco router to securely store plain text keys in type 6 encrypted format in NVRAM.


Back to Top


Requirements

To perform the steps described in this document, you need to have these items:

  • Cisco router running IOS version 12.3(2)T or later

  • You must have setup VPN connection for your router with pre-shared key as the authentication parameter in Router Support Page.

  • A console cable. For more information about cables, refer to Cable Descriptions.

  • Terminal emulation software such as HyperTerminal

    Note: For more information about how to create a terminal connection, refer to Create a HyperTerminal Connection.

  • Completed Worksheets from the Site Survey:

  1. LAN Addressing Worksheet

  2. Router Worksheet


Back to Top


Connect to the Router

Follow these steps to connect to the router command line interface:

  1. Connect a PC to the router with a console cable.

  2. Create a HyperTerminal connection to your router. For more information, refer to Create a HyperTerminal Connection. Log into the router with the login and password that you entered in fields B10 and B11 of the Router Worksheet.

  3. Log into the router with the login and password that you entered in fields B10 and B11 of the Router Worksheet.

    Username:admin
Password:

    Note: If you do not know the password for your router, refer to Reset the Password on the Router.

  4. Type enable and press Enter to access the privileged mode. Type the enable password that you entered in field B12 of the Router Worksheet and press Enter.

    Router>enable
Password:
Router#

Back to Top


Encrypt the Pre-shared key

The Master key is the password/key used to encrypt all other keys in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher. The master key is not stored in the router configuration and is unable to be seen or obtained in any way while connected to the router.

Follow these steps to encrypt the ISAKMP pre-shared keys into type 6 encrypted format:

  1. Type show running-config at the router privilege or EXEC prompt and press Enter. The VPN configuration under crypto isakmp policy shows the pre-shared key in clear text format.

    Router#show running-config
Building configuration...

Current configuration : 2937 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
crypto pki trustpoint TP-self-signed-3242879345
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3242879345
revocation-check none
rsakeypair TP-self-signed-3242879345

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.1
!
!--- Output is suppressed for brevity.

  2. Type configure terminal and press Enter to enter the router configuration mode.

    Router#configure terminal
Router(config)#

  3. Type key config-key password-encrypt <Master key> and press Enter where Master key is the key which is used to encrypt any existing or new keys in the router configuration.

    Router(config)#config-key password-encrypt Cisco321
Router(config)#

  4. Type password encryption aes and press Enter.

    Router(config)#password encryption aes
Router(config)#

  5. Type exit and press Enter.

    Router(config)#exit
Router#

  6. Type write memory and press Enter. 

    Router#write memory

Back to Top


Encrypt the Pre-shared key Interactively

If the Master key is not specified on the command line, the router prompts the user to enter the key and to re-enter it for verification.

  1. Type key config-key password-encrypt and press Enter. Enter the new Master key and reenter the same key confirm.

    Router(config)#key config-key password-encrypt 

New key:<enter key>
Confirm key:<confirm key>

  2. Type password encryption aes and press Enter.

    Router(config)#password encryption aes
Router(config)#

Back to Top


Modify the Existing Master Key Interactively

The master key can be changed (although this is not necessary unless the key has become compromised in some way) by issuing the key config-key password-encrypt command again with the new Master-key.

If a key already exists, the user is prompted to enter the old key first. Keys are not encrypted until you issue the password encryption aes command.

  1. Type key config-key password-encrypt and press Enter. When asked for the Old key enter the existing Master key. Enter the New key and enter it again to confirm.

    Router(config)#key config-key password-encrypt
Old key:<enter existing key>
New key:<enter new key>
Confirm key:<confirm new key>
Router(config)#

  2. All the existing encrypted keys in the router configuration are re-encrypted with the new key and you can see a log message as shown when you change the Master key.

    TYPE6_PASS:Master key change heralded, re-encrypting the keys with the new master key

Back to Top


Delete the Master Key

You can delete the Master key when you issue the no key config-key password-encrypt command. However, this renders all currently configured keys in the router configuration useless.

  1. Type no key config-key password-encrypt and press Enter. When a warning message is displayed type Yes to confirm the master key deletion.

    Router(config)#no key config-key password-encrypt 
WARNING: All type 6 encrypted keys will become unusable
Continue with master key deletion ? [yes/no]:yes
Router(config)#

  2. Since the master key no longer exists, as a security measure, after the type 6 passwords/keys have been encrypted, they are not decrypted in the Cisco IOS software. However, passwords can be reencrypted as shown in Encrypt the Pre-shared key Interactively.


Back to Top


Next Step

You have completed pre-shared key encryption procedure for your Cisco routers. To make further changes to your router, refer to the Routers Support Page.


Back to Top


Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

You are unable to see the pre-shared keys in type 6 encrypted format.

Ensure that you type password encryption aes command after configuring the Master key with the command key config-key password-encrypt.

For further assistance, contact the SMB Technical Assistance Center (SMB TAC).


Back to Top


Related Information
Service Requests

  Open a service request
  Update a service request

Feedback

Please rate this site:
++ + +/- - --

Suggestions for improvement:




If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information:
Full Name:
Email:



© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.