A security risk is present when credentials used for authentication to remote devices such as RADIUS or TACACS+ servers are displayed in the configuration file in plain text. The encrypt-credentials
command allows the storing, displaying, and transferring of credentials in encrypted form.
When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HP networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration.
Additionally, you can set a separate, 256-bit pre-shared key, however, you must now set the pre-shared key on the destination device before transferring the configuration. The pre-shared key on the destination device must be identical to the pre-shared key on the source device or the affected security credentials will not be usable. This key is only accessible using the CLI, and is not visible in any file transfers.
|
|
NOTE: It is expected that plaintext passwords will continue to be used for configuring the switch. The encrypted credentials option is available primarily for the backup and restore of configurations. |
|
|
Only the aes-256-cbc encryption type is available.
To enable encrypt-credentials
, enter this command.
Syntax:
When
encrypt-credentials
is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration.The
[no]
form of the command disables theencrypt-credentials
feature. If specified withpre-shared-key
option, clears thepreshared- key
used to encrypt credentials.
pre-shared-key
: When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, an HP switch default AES key is used.
When encrypt-credentials
is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save
after encrypting or re-encrypting sensitive data in the configuration.
Enabling encrypt-credentials with caution message
HP Switch(config)# encrypt-credentials **** CAUTION **** This will encrypt all passwords and authentication keys. The encrypted credentials will not be understood by older software versions. The resulting config file cannot be used by older software versions. It may also break some of your existing user scripts. Before proceeding, please save a copy of your current config file, and associate the current config file with the older software version saved in flash memory. See “Best Practices for Software Updates” in the Release Notes. A config file with ‘encrypt-credentials’ may prevent previous software versions from booting. It may be necessary to reset the switch to factory defaults. To prevent this, remove the encrypt-credentials command or use an older config file. Save config and continue [y/n]? y
To display whether encrypt-credentials
is enabled or disabled, enter the show encrypt-credentials
command. This command is available only from the manager context.
Several commands will have encryption available for configuration.
Affected commands
Existing command | New equivalent option |
---|---|
HP Switch(config)# radius-server key secret1 |
HP Switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# radius-server host 10.0.0.1 key secret1 |
HP Switch(config)# radius-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA q+s5cV1NiYvx+TuA= |
HP Switch(config)# tacacs-server key secret1 |
HP Switch(config)# tacacs-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# tacacs-server host 10.0.0.1 key secret1 |
HP Switch(config)# tacacs-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA= |
HP Switch(config)# key-chain example key 1 key-string secret1 |
HP Switch(config)# key-chain example key 1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA= |
HP Switch(config)# aaa port-access supplicant 24 secret secret1 |
HP Switch(config)# aaa port-access supplicant 24 identity id1 encrypted-secret secret1 U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# sntp authentication key-id 33 authentication-mode md5 key-value secret1 |
HP Switch(config)# sntp authentication key-id 33 authentication-mode md5 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# password manager plaintext secret1 |
HP Switch(config)# encrypted-password manager U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
-
If you load a prior software version that does not contain the encrypt-credentials feature, it is important to back up the configuration and then execute the
erase startup
command on the switch. Features that have encrypted parameters configured will not work until those parameters are cleared and reconfigured. -
HP recommends that when executing an
encrypted-<option>
command, you copy and paste the encrypted parameter from a known encrypted password that has been generated on the same switch or another switch with the same pre-shared key (whether user-specified or a default key). If an incorrectly encrypted parameter is used, it is highly likely that the decrypted version will contain incorrect characters, and neither key will function correctly or be displayed in anyshow
command.
The following table shows the interaction between include-credentials
settings and encrypt-credentials
settings when displaying or transferring the configuration.
Interactions between credential settings
Include-credentials active | Include-credentials enabled | Encrypt-credentials enabled | Resulting behavior for sensitive data |
---|---|---|---|
Hidden (default) [a] | |||
Yes | Shown, encrypted | ||
Yes | n/a | ||
Yes | Yes | n/a | |
Yes | Hidden | ||
Yes | Yes | Shown, encrypted | |
Yes | Yes | Shown, plaintext | |
Yes | Yes | Yes | Shown, encrypted |
[a] Notes for RADIUS/TACACS keys when the Include-Credentials settings are in the Factory Default state: In the Factory Default state, the RADIUS/TACACS keys will be displayed with show config commands but will not be transferred to the file server.In the Factory Default state, the RADIUS/TACACS keys will be copied to a switch stored configuration file (one per stored configuration). |