Use this command to set an encrypted password.
Syntax
[no]encrypted-password
<manager|
operator|
port-access>
[user-name
user-name
]encrypted-password-string
A security risk is present when credentials used for authentication to remote devices such as RADIUS or TACACS+ servers are displayed in the configuration file in plain text. The encrypt-credentials
command allows the storing, displaying, and transferring of credentials in encrypted form.
When the encrypt-credentials feature is enabled, the affected credentials are encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HP networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration.
Additionally, you can set a separate, 256-bit pre-shared key, however, you must now set the pre-shared key on the destination device before transferring the configuration. The pre-shared key on the destination device must be identical to the pre-shared key on the source device or the affected security credentials are not be usable. This key is only accessible using the CLI, and is not visible in any file transfers.
|
|
NOTE: It is expected that plaintext passwords will continue to be used for configuring the switch. The encrypted credentials option is available primarily for the backup and restore of configurations. |
|
|
Only the aes-256-cbc encryption type is available.
To enable encrypt-credentials
, enter this command.
Syntax
When
encrypt-credentials
is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration.The
[no]
form of the command disables theencrypt-credentials
feature. If specified withpre-shared-key
option, clears thepreshared- key
used to encrypt credentials.
NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <keystring>is prompted for interactively. For more information, see Secure Mode (3800, 5400zl, and 8200zl Switches).
When encrypt-credentials
is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.
To display whether encrypt-credentials
is enabled or disabled, enter the show encrypt-credentials
command. This command is available only from the manager context.
Several commands have encryption available for configuration.
Affected commands
Existing Command | New Equivalent Option |
---|---|
HP Switch(config)# radius-server key secret1 |
HP Switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# radius-server host 10.0.0.1 key secret1 |
HP Switch(config)# radius-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA q+s5cV1NiYvx+TuA= |
HP Switch(config)# tacacs-server key secret1 |
HP Switch(config)# tacacs-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# tacacs-server host 10.0.0.1 key secret1 |
HP Switch(config)# tacacs-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA= |
HP Switch(config)# key-chain example key 1 key-string secret1 |
HP Switch(config)# key-chain example key 1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA= |
HP Switch(config)# aaa port-access supplicant 24 secret secret1 |
HP Switch(config)# aaa port-access supplicant 24 identity id1 encrypted-secret secret1 U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# sntp authentication key-id 33 authentication-mode md5 key-value secret1 |
HP Switch(config)# sntp authentication key-id 33 authentication-mode md5 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |
HP Switch(config)# password manager plaintext secret1 |
HP Switch(config)# encrypted-password manager U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= |