Configuring Username and Password Security > Setting an encrypted password

 

 next

Setting an encrypted password

Use this command to set an encrypted password.

Syntax

[no] encrypted-password < manager| operator| port-access > [ user-name user-name ] encrypted-password-string

Set a local password using an encrypted password string.

encrypted-password-string

Creates a password as a base64–encoded aes256–encrypted string.

Creating an encrypted password

Creating an encrypted password

Encrypting credentials in the configuration file

A security risk is present when credentials used for authentication to remote devices such as RADIUS or TACACS+ servers are displayed in the configuration file in plain text. The encrypt-credentials command allows the storing, displaying, and transferring of credentials in encrypted form.

When the encrypt-credentials feature is enabled, the affected credentials are encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HPE networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration.

Additionally, you can set a separate, 256-bit pre-shared key, however, you must now set the pre-shared key on the destination device before transferring the configuration. The pre-shared key on the destination device must be identical to the pre-shared key on the source device or the affected security credentials are not be usable. This key is only accessible using the CLI, and is not visible in any file transfers.

[NOTE: ]

NOTE: It is expected that plaintext passwords will continue to be used for configuring the switch. The encrypted credentials option is available primarily for the backup and restore of configurations.

Only the aes-256-cbc encryption type is available.

Enabling Encrypt-Credentials

To enable encrypt-credentials, enter this command.

Syntax
[no] encrypt-credentials [ pre-shared-key < plaintext | hex > ]

When encrypt-credentials is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration.

The [no] form of the command disables the encrypt-credentials feature. If specified with pre-shared-key option, clears the preshared- key used to encrypt credentials.

[NOTE: ]

NOTE: For the 3800 and 5400zl switches, when the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <keystring>is prompted for interactively. For more information, see Secure Mode (3800, 3810, 5400zl, and 8200zl Switches).

pre-shared-key

When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, a switch default AES key is used.

Default

switch default AES key

plaintext

Set the key using plaintext.

hex

Set the key as a 64 hexadecimal character string (32 bytes). You must enter 64 hexadecimal digits to set this key.

When encrypt-credentials is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.

Enabling encrypt credentials with caution message

Enabling encrypt credentials with caution message

Example of creating a pre-shared key in plaintext

Example of creating a pre-shared key in plaintext

Example of creating a pre-shared key in hex

Example of creating a pre-shared key in hex

Displaying the state of encrypt-credentials

To display whether encrypt-credentials is enabled or disabled, enter the show encrypt-credentials command. This command is available only from the manager context.

Example of status of encrypt-credentials when the pre-shared key has not been set

Example of status of encrypt-credentials when the pre-shared key has not been set

Example of status of encrypt-credentials when the pre-shared key has been set

Example of status of encrypt-credentials when the pre-shared key has been set

Affected commands

Several commands have encryption available for configuration.

Affected commands

Existing Command New Equivalent Option
switch(config)# radius-server key secret1 switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# radius-server host 10.0.0.1 key secret1 switch(config)# radius-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA q+s5cV1NiYvx+TuA=
switch(config)# tacacs-server key secret1 switch(config)# tacacs-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# tacacs-server host 10.0.0.1 key secret1 switch(config)# tacacs-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA=
switch(config)# key-chain example key 1 key-string secret1 switch(config)# key-chain example key 1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA=
switch(config)# aaa port-access supplicant 24 secret secret1 switch(config)# aaa port-access supplicant 24 identity id1 encrypted-secret secret1 U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# sntp authentication key-id 33 authentication-mode md5 key-value secret1 switch(config)# sntp authentication key-id 33 authentication-mode md5 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
switch(config)# password manager plaintext secret1 switch(config)# encrypted-password manager U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=

prev

 

up

 next

Include-Credentials 

home

 Front panel security

Copyright © 2016 Hewlett Packard Enterprise Development LP