Enabling Encrypt-Credentials

To enable encrypt-credentials, enter this command.

Syntax

[no] encrypt-credentials [ pre-shared-key < plaintext | hex > ]

When encrypt-credentials is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration.

The [no] form of the command disables the encrypt-credentials feature. If specified with pre-shared-key option, clears the preshared- key used to encrypt credentials.

NOTE:

When the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <keystring> is prompted for interactively. For more information, see Secure mode(FIPS).

pre-shared-key

When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, a switch default AES key is used.

Default

switch default AES key

plaintext

Set the key using plaintext.

hex

Set the key as a 64 hexadecimal character string (32 bytes). You must enter 64 hexadecimal digits to set this key.

When encrypt-credentials is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.

Enabling encrypt credentials with caution message
Example of creating a pre-shared key in plaintext
Example of creating a pre-shared key in hex