Password encryption has the following configuration guidelines and limitations:

• Only users with administrator privilege (network-admin) can configure the AES password encryption feature, associated encryption and decryption commands, and primary keys.

• Beginning with Cisco NX-OS Release 10.3(3)F, RPM keychain infra supports AES password encryption for RPM legacy keychains on Cisco Nexus 9000 Series platform switches.

• Configurations containing Type-6 encrypted passwords are not rollback-compliant.

• You can enable the AES password encryption feature without a primary key, however the encryption starts only when a primary key is present in the system.

• For TACACS+ and RPM legacy keychain, after you enable the AES password encryption feature and configure a primary key, you must run the encryption re-encrypt obfuscated command to convert the passwords to Type-6 encrypted passwords.

• Deleting the primary key stops Type-6 encryption and causes all existing Type-6 encrypted passwords to become unusable, unless the same primary key is reconfigured.

• To move the device configuration to another device, either decrypt the configuration before porting it to the other device or configure the same primary key on the device to which the configuration will be applied.

• Type-6 encryption is supported only for MACsec and RPM legacy keychain. It is not supported for cloudsec keys.

• Starting from Cisco NX-OS Release 9.3(6), converting Type-6 encrypted passwords back to original state is not supported on MACsec keychain.

• Starting from Cisco NX-OS Release 10.3(3)F, converting Type-6 encrypted passwords back to original state is not supported for RPM legacy keychain.

• Type-6 encryption can be configured only when the AES password encryption feature is enabled and the primary key is configured.

• When the primary key is configured and the AES password encryption feature is enabled on a switch, each MACsec key string configurations under the keychain infra are automatically encrypted with the Type-6 encryption.

• Primary key configuration is local to the switch. If you take the Type-6 configured running data from one switch and apply it on another switch where a different primary key is configured, then decryption on the new switch fails.

• If you erase the startup configuration and use the configuration replace feature after a Type-6 encryption, the configuration replace fails because the primary key is not stored in PSS. Therefore, there is configuration loss for MACsec Type-6 encrypted key string.

• When you configure the Type-6 keys, you cannot modify the existing Type-6 encrypted key strings to Type-7 encrypted key string without applying the decrypt command provided by SKSD.

• If you downgrade the system by cold reboot with an old image where the Type-6 encryption is not supported, you must take out the configuration before you proceed with the cold reboot. Failing to do so leads to loss in configuration.

• After you downgrade the system, the Type-6 configuration is lost.

• If you downgrade the system by ISSD, capability conf check is invoked and it notifies you to remove the configuration before proceeding with the downgrade. You can use the encryption decrypt command to convert the Type-6 encrypted keys to Type-7 encryption keys, and then proceed with the downgrade.

• During an ISSU upgrade, if you migrate from an older image which includes the Type-7 encrypted keys to a new image that supports Type-6 encryption, the rpm does not convert the existing keys to Type-6 encrypted keys until re-encryption is enforced. To enforce a re-encryption, use the encryption re-encrypt obfuscated command.

• After ISSU upgrade from an older image which includes the Type-7 encrypted keys to a new image that supports Type-6 encryption, if configuration replace is done using the configuration file saved in older image or configuration file saved after upgrade without re-encrypting the password to Type-6 (using encryption re-encrypt obfuscated command), the configuration replace will fail.

• If you change the primary key after a Type-6 encryption, the decrypt command fails on the existing Type-6 encrypted key-string. You must delete the existing Type-6 key string and configure a new key string.

• For RPM legacy keychains, Type-6 key-strings can be configured without AES password encryption feature enabled and primary key configured, however these Type-6 key-strings are unusable until AES password encryption feature is enabled and the primary key with which the Type-6 key-strings were generated is configured.

• Starting from Cisco NX-OS Release 10.3(2)F, you can configure primary key using DME payload and non-interactive mode.

• During upgrade, while performing device reload, if ASCII replay is triggered without binary restore, primary key gets lost. The primary key must be reconfigured after device reload. Use the key config-key ascii command to reconfigure the primary key and avoid encryption issues. However, upgrade with binary restore retains the primary key after the reboot.

• During downgrade, where both source and target images support Type-6 encryption, while performing device reload, if ASCII replay is triggered without binary restore, primary key gets lost. The primary key must be reconfigured after device reload. Use the key config-key ascii command to reconfigure the primary key and avoid encryption issues. However, downgrade with binary restore retains the primary key after the reboot, provided both source and target images support Type-6 encryption.

  If you downgrade the system from an image that supports Type-6 encryption to an image that does not support Type-6 encryption, compatibility check fails.

This section describes the tasks for configuring password encryption on Cisco NX-OS devices.