Encrypting credentials in the configuration file

A security risk is present when credentials used for authentication to remote devices such as RADIUS or TACACS+ servers are displayed in the configuration file in plain text. The encrypt-credentials command allows the storing, displaying, and transferring of credentials in encrypted form.

When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HP networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration.

Additionally, you can set a separate, 256-bit pre-shared key, however, you must now set the pre-shared key on the destination device before transferring the configuration. The pre-shared key on the destination device must be identical to the pre-shared key on the source device or the affected security credentials will not be usable. This key is only accessible using the CLI, and is not visible in any file transfers.


[NOTE: ]

NOTE: It is expected that plaintext passwords will continue to be used for configuring the switch. The encrypted credentials option is available primarily for the backup and restore of configurations.


Only the aes-256-cbc encryption type is available.

Enabling encrypt-credentials

To enable encrypt-credentials, enter this command.

Syntax:

[no] encrypt-credentials [pre-shared-key <plaintext|hex>]

When encrypt-credentials is enabled without any parameters, it enables the encryption of relevant security parameters in the configuration.

The [no] form of the command disables the encrypt-credentials feature. If specified with pre-shared-key option, clears the preshared- key used to encrypt credentials.

pre-shared-key: When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, an HP switch default AES key is used.

Default: HP switch default AES key

plaintext: Set the key using plaintext.

hex: Set the key as a 64 hexadecimal character string (32 bytes). You must enter 64 hexadecimal digits to set this key.

When encrypt-credentials is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.

Enabling encrypt-credentials with caution message

HP Switch(config)# encrypt-credentials

                      **** CAUTION ****

This will encrypt all passwords and authentication keys.

The encrypted credentials will not be understood by older software versions.
The resulting config file cannot be used by older software versions.
It may also break some of your existing user scripts.

Before proceeding, please save a copy of your current config file, and associate
the current config file with the older software version saved in flash memory.
See “Best Practices for Software Updates” in the Release Notes.

A config file with ‘encrypt-credentials’ may prevent previous software versions
from booting. It may be necessary to reset the switch to factory defaults. To
prevent this, remove the encrypt-credentials command or use an older config file.

Save config and continue [y/n]? y

Creating a pre-shared-key in plaintext

HP Switch(config)# encrypt-credentials pre-shared-key plaintext SecretKey1

Save config and continue [y/n]? y

Creating a pre-shared key in hex

HP Switch(config)# encrypt-credentials pre-shared-key hex
1234567891234567891234567891234567891234567891234567891234567891

Save config and continue [y/n]? y

Displaying the state of encrypt-credentials

To display whether encrypt-credentials is enabled or disabled, enter the show encrypt-credentials command. This command is available only from the manager context.

Status of encrypt-credentials when the pre-shared key has not been set

HP Switch(config)# show encrypt-credentials

 Encryption    : Disabled
 Pre-shared Key: None

Status of encrypt-credentials when the pre-shared key has been set

HP Switch(config)# show encrypt-credentials

 Encryption    : Disabled
 Pre-shared Key:
 055d7b3b6bc22d18d29533ba2b549b3991bc23b7cbfc8e5769bdcc9ec748af27

Affected commands

Several commands will have encryption available for configuration.

Affected commands

Existing command New equivalent option
HP Switch(config)# radius-server key secret1 HP Switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
HP Switch(config)# radius-server host 10.0.0.1 key secret1 HP Switch(config)# radius-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA q+s5cV1NiYvx+TuA=
HP Switch(config)# tacacs-server key secret1 HP Switch(config)# tacacs-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
HP Switch(config)# tacacs-server host 10.0.0.1 key secret1 HP Switch(config)# tacacs-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA=
HP Switch(config)# key-chain example key 1 key-string secret1 HP Switch(config)# key-chain example key 1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/ q+s5cV1NiYvx+TuA=
HP Switch(config)# aaa port-access supplicant 24 secret secret1 HP Switch(config)# aaa port-access supplicant 24 identity id1 encrypted-secret secret1 U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
HP Switch(config)# sntp authentication key-id 33 authentication-mode md5 key-value secret1 HP Switch(config)# sntp authentication key-id 33 authentication-mode md5 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=
HP Switch(config)# password manager plaintext secret1 HP Switch(config)# encrypted-password manager U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA=

Important operating notes

  • If you load a prior software version that does not contain the encrypt-credentials feature, it is important to back up the configuration and then execute the erase startup command on the switch. Features that have encrypted parameters configured will not work until those parameters are cleared and reconfigured.

  • HP recommends that when executing an encrypted-<option> command, you copy and paste the encrypted parameter from a known encrypted password that has been generated on the same switch or another switch with the same pre-shared key (whether user-specified or a default key). If an incorrectly encrypted parameter is used, it is highly likely that the decrypted version will contain incorrect characters, and neither key will function correctly or be displayed in any show command.

Interaction with include-credentials settings

The following table shows the interaction between include-credentials settings and encrypt-credentials settings when displaying or transferring the configuration.

Interactions between credential settings

Include-credentials active Include-credentials enabled Encrypt-credentials enabled Resulting behavior for sensitive data
      Hidden (default) [a]
    Yes Shown, encrypted
  Yes   n/a
  Yes Yes n/a
Yes     Hidden
Yes   Yes Shown, encrypted
Yes Yes   Shown, plaintext
Yes Yes Yes Shown, encrypted

[a] Notes for RADIUS/TACACS keys when the Include-Credentials settings are in the Factory Default state:

In the Factory Default state, the RADIUS/TACACS keys will be displayed with show config commands but will not be transferred to the file server.In the Factory Default state, the RADIUS/TACACS keys will be copied to a switch stored configuration file (one per stored configuration).