Enabling encrypt-credentials

To enable encrypt-credentials, enter this command.


[no] encrypt-credentials [pre-shared-key <plaintext|hex>]

When encrypt-credentials is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration.

The [no] form of the command disables the encrypt-credentials feature. If specified with pre-shared-key option, clears the preshared-key used to encrypt credentials.

pre-shared-key: When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, an switch default AES key is used.

Default: switch default AES key

plaintext: Set the key using plaintext.

hex: Set the key as a 64 hexadecimal character string (32 bytes). You must enter 64 hexadecimal digits to set this key.

When encrypt-credentials is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.

Enabling encrypt-credentials with caution message

switch(config)# encrypt-credentials

                      **** CAUTION ****

This will encrypt all passwords and authentication keys.

The encrypted credentials will not be understood by older software versions.
The resulting config file cannot be used by older software versions.
It may also break some of your existing user scripts.

Before proceeding, please save a copy of your current config file, and associate
the current config file with the older software version saved in flash memory.
See “Best Practices for Software Updates” in the Release Notes.

A config file with ‘encrypt-credentials’ may prevent previous software versions
from booting. It may be necessary to reset the switch to factory defaults. To
prevent this, remove the encrypt-credentials command or use an older config file.

Save config and continue [y/n]? y

Creating a pre-shared-key in plaintext

switch(config)# encrypt-credentials pre-shared-key plaintext SecretKey1

Save config and continue [y/n]? y

Creating a pre-shared key in hex

switch(config)# encrypt-credentials pre-shared-key hex

Save config and continue [y/n]? y