The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco UCS Manager 4.3(5a) release introduces the Security Management tab in the Admin section. This section aims to offer multiple security management options to protect sensitive data and ensure network integrity. The tab currently includes Encryption Management and assists administrators in effectively managing security settings.
Complementing the Security Management enhancements, Cisco introduces Encryption Management. This feature ensures that the management sessions are encrypted to prevent unauthorized access.
The Cisco UCS Manager 4.3(5a) release introduces the AES Encryption Master Key option for Cisco UCS 6536, 6454, and 64108 Fabric Interconnects. With the Cisco UCS Manager 6.0(1b) release, this support is extended to Cisco UCS 6664 and X-Series Direct Fabric Interconnects. This feature provides encryption capabilities to protect sensitive data, enabling administrators to manage encryption settings effectively and ensure data security and compliance with encryption standards.
Advanced Encryption Standard (AES) is a widely used encryption standard designed to secure data. AES is considered more secure encryption algorithm and supports 128 bits or 256 bits.
 Note |
You can use AES Encryption (Type 6) to secure key strings for authenticating MACsec sessions. For more information, see Configuring a MACsec > Creating a MACsec Key section of Network Management Guide. |
To create AES Encryption, do the following:
|
Step 1 |
In the Navigation pane, click Admin. |
||||||||
|
Step 2 |
Navigate to Security Management > Encryption Management > AES Encryption. |
||||||||
|
Step 3 |
In the Actions area, click Create AES Encryption. |
||||||||
|
Step 4 |
In the Create AES Encryption dialog box, complete the following fields:
|
||||||||
|
Step 5 |
Click OK. |
The modification of the master key in AES encryption involves updating the primary key.
|
Step 1 |
In the Navigation pane, click Admin. |
||||||||||
|
Step 2 |
Navigate to Security Management > Encryption Management > AES Encryption. |
||||||||||
|
Step 3 |
In the Properties area, update the existing entries in the following field:
|
||||||||||
|
Step 4 |
Click Save Changes to confirm the master key update. |
Deleting the AES encryption involves the removal of encryption keys and disabling the encryption mechanism that uses the Advanced Encryption Standard (AES) to secure data.
To delete AES Encryption, do the following:
|
Step 1 |
In the Navigation pane, click Admin. |
|
Step 2 |
Navigate to Security Management > Encryption Management > AES Encryption. |
|
Step 3 |
In the Actions area, click the Delete AES Encryption link. |
|
Step 4 |
Click Save Changes to confirm deletion. |
To ensure the security of Type-6 keys, it is crucial that these keys are not included in backups. This prevents the possibility of restoring the keys to another system, which could compromise security. Cisco NX-OS is designed with this in mind, as it does not export the AES encryption key in the running configuration export. Therefore, even if the NX-OS running configuration is exported to another device, the Type-6 keys will not pose a security risk if the AES encryption key is not pre-configured on that device.
Secure Configuration Exports: Type-6 AES encryption keys remain secure and are not inadvertently exposed during configuration exports and imports.
AES Master Key Export: The AES master key is not included when exporting configurations in Cisco UCS Manager.
Importing Configurations: The deployment FSM in UCSM will fail and raise a critical fault if AES encryption is not configured. A message will prompt the user to configure AES encryption.
Post-Configuration: Once AES encryption is configured, the deployment FSM will successfully configure the Type-6 keys.
Updating AES Encryption Key:
When updating the AES Master Key, the corresponding Type-6 MACsec Keys also need to be updated. The new Type-6 MACsec key must be derived out of the new AES Master Key.
Configure a fallback key. The fallback key can be of Type-0, Type-7, or Type-6 key, based on the user preference.
Note |
If a Type-6 key is used for fallback, ensure the Type-6 key is derived out of the new master key. |
Update the master key.
Delete the Type-6 MACsec key that was encrypted using the old master key.
Create a new Type-6 MACsec key, encrypted using the new master key, with the same Key ID.
Feedback