MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

MACsec pre-shared keys with Type 6 password encryption

Updated: February 28, 2026

Want to summarize with AI?

Log in

Overview

Defines the Type 6 password encryption scheme, which uses AES-256 symmetric encryption to store MACsec pre-shared keys securely, preventing plaintext exposure in configuration files.

A MACsec pre-shared key with Type 6 password encryption is a router security configuration that

  • securely stores MACsec Connectivity Association Keys (CAKs) in encrypted form,

  • depends on a locally configured primary key to operate, and

  • uses AES‑256 symmetric encryption to protect MACsec key material in the router configuration.

  • Primary key: The local password or key the router uses to encrypt and decrypt all MACsec CAKs stored in configuration. The device does not save this key in configuration and it is not viewable.

  • Type 6 password encryption: A Cisco encryption scheme that applies AES‑256 symmetric encryption to sensitive secrets in configuration, enabling the system to decrypt on demand to establish secure communication.

  • MACsec CAK / PSK: The static pre-shared key MACsec uses to form a Connectivity Association between peers.

When enabled, the PSK does not appear in clear text in running, startup, or archived configurations; the router stores only an encrypted value that it can decrypt locally when needed. Type 6 password encryption functions only when a primary key is configured.

Benefits of securing MACsec pre-shared keys with Type 6 password encryption

  • Protects MACsec PSKs from exposure in plain text.

  • Utilizes AES‑256 encryption for robust and modern cryptographic protection.

  • Supports compliance with regulatory and organizational security policies.

  • Reduces insider threat risks from configuration file inspection.

Configure MACsec pre-shared keys with Type 6 password encryption

Configure MACsec pre-shared keys with Type 6 encrypted passwords for secure key management.

Perform this task to set up or modify MACsec PSK with Type 6 password encryption.

Procedure

1.

Use the key config-key password-encryption command to create the primary key.

Example:

Router# config
Router(config)# key config-key password-encryption
Enter new key:
Enter confirm key:
Router(config)# commit

  • When prompted, set a new password with the following requirements:

    • Minimum length: 6 characters

    • Maximum length: 64 characters

    • Allowed characters: uppercase letters [A-Z], lowercase letters [a-z], and digits [0-9]
2.

Use the key chain command to configure the macsec keychain.

Example:

Router# config
Router(config)# key chain kc1 macsec
Router(config-kc1-MacSec)# key 1111
Router(config-kc1-MacSec-1111)# key-string 1234567890123456789012345678902212345678901234567890123456789022 cryptographic-algorithm aes-256-cmac
Router(config-kc1-MacSec-1111)# lifetime 00:00:00 1 October 2019 infinite
Router(config-kc1-MacSec-1111)# commit

Modify the primary key if needed:

  • If a primary key exists, enter the current key when prompted before setting a new key.

  • Modifying the primary key re-encrypts all existing Type 6 key strings with the new key.

  • Ensure the password6 encryption aes command is configured to enable re-encryption; otherwise, the update will fail.

Primary key deletion will bring down MACsec traffic if MKA sessions are up with Type 6 keys. To avoid traffic disruptions, configure a new set of PSK key pairs [key (CKN) and key string (CAK)] with latest timestamps with the lifetime of infinite validity on both the peers and ensure the successful CAK rekey to the newly configured CKN and CAK.

Delete the primary key when necessary:

Router# config
Router(config)# no password6 encryption aes
Router(config)# commit
Router(config)# exit
Router# key config-key password-encryption delete

The primary key and Type 6 password encryption are successfully configured, modified, or deleted, and the MACsec key chain is configured with Type 6 encrypted pre-shared keys, ensuring secure key management.