Catalyst 8200 and Catalyst 8300 Edge Software Configuration Guide

Secure Storage

Updated: May 4, 2026

Want to summarize with AI?

On this page

Overview

Enable secure storage
Disable secure storage
Verify the status of encryption
Verify the platform identity

Overview

Details the secure storage feature, which encrypts sensitive configuration data (like keys and credentials) using hardware trust anchors, and explains how to enable/disable this protection.

A secure storage feature is a security mechanism that

encrypts critical configuration information, such as VPN and IPSec key pairs, pre-shared secrets, and credentials,
stores an instance-unique encryption key in the hardware trust anchor to prevent compromise, and
enables protection for type 6 password encryption keys and certain credentials.

By default, this feature is enabled on platforms with a hardware trust anchor. Platforms without a hardware trust anchor do not support secure storage.

Enable secure storage

By default, this feature is enabled on a platform. Use this procedure on a platform where it is disabled.

Procedure

	Command or Action	Purpose
1.	Config terminal Example: `router#config terminal`	Enters the configuration mode.
2.	service private-config-encryption Example: `router(config)# service private-config-encryption`	Enables the Secure Storage feature on your platform.
3.	do write memory Example: `router(config)# do write memory`	Encrypts the private-config file and saves the file in an encrypted format.

Example

The following example shows how to enable Secure Storage:

router#config terminal
                router(config)# service private-config-encryption
                router(config)# do write memory

Disable secure storage

Procedure

	Command or Action	Purpose
1.	Config terminal Example: `router#config terminal`	Enters the configuration mode.
2.	no service private-config-encryption Example: `router(config)# no service private-config-encryption`	Disables the Secure Storage feature on your platform.
3.	do write memory Example: `router(config)# do write memory`	Decrypts the private-config file and saves the file in plane format.

Example

The following example shows how to disable Secure Storage:

router#config terminal
                router(config)# no service private-config-encryption
                router(config)# do write memory

Verify the status of encryption

Use the show parser encrypt file status command to verify the status of encryption. The following command output indicates that the feature is available but the file is not encrypted. The file is in ‘plain text’ format.

router#show parser encrypt file status 
Feature: Enabled
File Format: Plain Text
Encryption Version: Ver1

The following command output indicates that the feature is enabled and the file is encrypted. The file is in ‘cipher text’ format.

router#show parser encrypt file status 
Feature: Enabled
File Format: Cipher Text
Encryption Version: Ver1

Verify the platform identity

Use the show platform sudi certificate command to display the SUDI certificate in standard PEM format. The command output helps you verify the platform identity.

In the command output, the first certificate is the Cisco Root CA 2048 and the second is the Cisco subordinate CA (ACT2 SUDI CA). The third is the SUDI certificate.

router#show platform sudi certificate sign nonce 123
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB
IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK
Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH
xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ
FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q
VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH
jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l
Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED
o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI
FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW
Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX
cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz
Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4
CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId
kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=
-----END CERTIFICATE-----

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Secure Storage

Overview

Enable secure storage

Procedure

Example:

Example:

Example:

Example

Disable secure storage

Procedure

Example:

Example:

Example:

Example

Verify the status of encryption

Verify the platform identity

Need help?