Configure secure storage

A secure storage feature is a security mechanism that

encrypts critical configuration information, such as VPN and IPSec key pairs, pre-shared secrets, and credentials,
stores an instance-unique encryption key in the hardware trust anchor to prevent compromise, and
enables protection for type 6 password encryption keys and certain credentials.

By default, this feature is enabled on platforms with a hardware trust anchor. Platforms without a hardware trust anchor do not support secure storage.

Enable secure storage

By default, this feature is enabled on a platform. Use this procedure on a platform where it is disabled.

Procedure

Command or Action Purpose

	Command or Action	Purpose
Step 1	Config terminal Example: `router#config terminal`	Enters the configuration mode.
Step 2	service private-config-encryption Example: `router(config)# service private-config-encryption`	Enables the Secure Storage feature on your platform.
Step 3	do write memory Example: `router(config)# do write memory`	Encrypts the private-config file and saves the file in an encrypted format.

Step 1

Config terminal

Example:

router#config terminal

Enters the configuration mode.

Step 2

service private-config-encryption

Example:

router(config)# service private-config-encryption

Enables the Secure Storage feature on your platform.

Step 3

do write memory

Example:

router(config)# do write memory

Encrypts the private-config file and saves the file in an encrypted format.

Example

The following example shows how to enable Secure Storage:

router#config terminal
                router(config)# service private-config-encryption
                router(config)# do write memory

Disable secure storage

Procedure

Command or Action Purpose

	Command or Action	Purpose
Step 1	Config terminal Example: `router#config terminal`	Enters the configuration mode.
Step 2	no service private-config-encryption Example: `router(config)# no service private-config-encryption`	Disables the Secure Storage feature on your platform.
Step 3	do write memory Example: `router(config)# do write memory`	Decrypts the private-config file and saves the file in plane format.

Step 1

Config terminal

Example:

router#config terminal

Enters the configuration mode.

Step 2

no service private-config-encryption

Example:

router(config)# no service private-config-encryption

Disables the Secure Storage feature on your platform.

Step 3

do write memory

Example:

router(config)# do write memory

Decrypts the private-config file and saves the file in plane format.

Example

The following example shows how to disable Secure Storage:

router#config terminal
                router(config)# no service private-config-encryption
                router(config)# do write memory

Verify the status of encryption

Use the show parser encrypt file status command to verify the status of encryption. The following command output indicates that the feature is available but the file is not encrypted. The file is in ‘plain text’ format.

router#show parser encrypt file status 
Feature: Enabled
File Format: Plain Text
Encryption Version: Ver1

The following command output indicates that the feature is enabled and the file is encrypted. The file is in ‘cipher text’ format.

router#show parser encrypt file status 
Feature: Enabled
File Format: Cipher Text
Encryption Version: Ver1

Verify the platform identity

Use the show platform sudi certificate command to display the SUDI certificate in standard PEM format. The command output helps you verify the platform identity.

In the command output, the first certificate is the Cisco Root CA 2048 and the second is the Cisco subordinate CA (ACT2 SUDI CA). The third is the SUDI certificate.

router#show platform sudi certificate sign nonce 123
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB
IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK
Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH
xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ
FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q
VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH
jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l
Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED
o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI
FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW
Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX
cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz
Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4
CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId
kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=
-----END CERTIFICATE-----

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide

Bias-Free Language

Book Title

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide

Chapter Title