Configuring Password Obfuscation in CLI Script and ini Files

You can enhance security by obfuscating password s in the downloaded ini and CLI Script files, using a strong encryption algorithm. The encryption is achieved using the AES-256 algorithm with a 16-bit random CFB initialization vector (IV) cipher mode, using an encryption key. This method offers robust protection of sensitive data.

Obscured passwords are displayed in the following syntax:

■

ini File: $2$<obfuscated password>

For example:

WSTunPassword = $2$8EGYm+FG+JJT/p8ZOytU64uplPMKcw==

■

CLI Script File: <obscured password>== encrypted

For example:

 password B55osyLT1t7+oorwkaNB3bxEX4Bl8g== encrypted

You can manually define the encryption key or you can trigger the device to automatically generate a key. If you want to configure the encryption key, it must be at least 32 characters long, and can contain a combination of the following characters:

■

Letters (A-Z and a-z)

■

Numbers (0-9)

■

Special characters: !, #, $, %, &, (, ), *, +, ,, -, ., /, <, =, >, ?, @, [, ], ^, _, `, {, }, ~. A-Z, a-z, 0-9, !, #, $, %, &, (, ), *, +, ,, -, ., /, <, =, >, ?, @, [, ], ^, _, `, {, }, ~

The following procedure describes how to configure the encryption key using the different methods.

➢

To configure encryption key for password obfuscation:

■

Configured Manually through CLI:

(config-network)# security-settings
(network-security)# encryption-key assign <your key>

■

Generated by Device through CLI:

(config-network)# security-settings
(network-security)# encryption-key generate

■

Configured Manually using Configuration Package File:

a.

Download an encrypted Configuration Package file (see Downloading and Uploading the Configuration Package File).

b.

Unzip the downloaded file.

c.

In the unzipped folder, create a file with the name "encryption.key" (using Notepad or any text editor), add the desired encryption key, and then save the file. The following shows an example of an unzipped Configuration Package file with a created encryption file:

d.

Compress all the files in the unzipped folder into a 7-Zip archive file, and then upload it to the device encrypted.

You can always check if the device is configured with an encryption key, by running the following CLI command:

(config-network)# security-settings
(network-security)# encryption-key display

The output of this command displays only part of the encryption key for security. It displays only the first four characters followed by three asterisks (e.g., %3[-***).

If you want to remove password obfuscation, delete the encryption key using any of the following methods:

■

CLI:

(config-network)# security-settings
(network-security)# encryption-key clear

■

Configuration Package File:

a.

Download the Configuration Package file and unzip it (described above for configuring the key).

b.

Open the encryption.key file, delete the key, and then save the empty file.

c.

Compress all the files in the unzipped folder into a 7-Zip archive file, and then upload it to the device encrypted.