Configuring Password Obfuscation in CLI Script and ini Files

You can enhance security by obfuscating password s in the downloaded ini and CLI Script files, using a strong encryption algorithm. The encryption is achieved using the AES-256 algorithm with a 16-bit random CFB initialization vector (IV) cipher mode, using an encryption key. This method offers robust protection of sensitive data.

Obscured passwords are displayed in the following syntax:

ini File: $2$<obfuscated password>

For example:

WSTunPassword = $2$8EGYm+FG+JJT/p8ZOytU64uplPMKcw==
CLI Script File: <obscured password>== encrypted

For example:

 password B55osyLT1t7+oorwkaNB3bxEX4Bl8g== encrypted

You can manually define the encryption key or you can trigger the device to automatically generate a key. If you want to configure the encryption key, it must contain 32 characters, and can contain a combination of the following characters:

Letters (A-Z and a-z)
Numbers (0-9)
Special characters: !, #, $, %, &, (, ), *, +, ,, -, ., /, <, =, >, ?, @, [, ], ^, _, `, {, }, ~. A-Z, a-z, 0-9, !, #, $, %, &, (, ), *, +, ,, -, ., /, <, =, >, ?, @, [, ], ^, _, `, {, }, ~

The following procedure describes how to configure the encryption key using the different methods.

To configure encryption key for password obfuscation:
Configured Manually through CLI:
(config-network)# security-settings
(network-security)# encryption-key assign <your key>
Generated by Device through CLI:
(config-network)# security-settings
(network-security)# encryption-key generate
Configuration Package File (manually):
a. Download the Configuration Package file as password-protected (see Downloading and Uploading the Configuration Package File).
b. Unzip the downloaded file (you'll be prompted for the password).
c. Open the unzipped file folder, and then create a file with the name "encryption.key" using any text editor (e.g., Notepad).
d. Add an encryption key to the encryption.key file, and then save the file. The following shows an example of an unzipped Configuration Package file with a created encryption file:

e. Compress all the files in the unzipped folder into a 7-Zip archive file:
i. Select all the files in the unzipped folder, right-click, and then from the drop-down menu, choose 7-Zip > Add to archive; the Add to Archive dialog box appears.
ii. In the 'Enter password' and 'Reenter password' fields, enter the password that you used to encrypt the downloaded Configuration Package file, and then select the 'Encrypt file names' check box:

iii. Click OK; the Configuration Package file is compressed into a 7-Zip archive file.
f. Upload the zipped Configuration Package file to the device (you'll be prompted for the password used to encrypt it). For more information, see Downloading and Uploading the Configuration Package File.

You can check if the device is configured with an encryption key, by running the following CLI command:

(config-network)# security-settings
(network-security)# encryption-key display

The output of this command displays only part of the encryption key for security. It displays only the first four characters followed by three asterisks (e.g., %3[-***).

If you want to remove password obfuscation, delete the encryption key using any of the following methods:

CLI:
(config-network)# security-settings
(network-security)# encryption-key clear
Configuration Package File:
a. Download the Configuration Package file and unzip it (described above for configuring the key).
b. Open the encryption.key file, delete the key, and then save the empty file.
c. Compress all the files in the unzipped folder into a 7-Zip archive file, and then upload it to the device encrypted.
Before you can downgrade the device to an earlier version that doesn't support this password obfuscation feature, you must clear the encryption key.
The encryption key remains unaffected even if the device is restored to factory defaults.
If you configure password obfuscation by encryption key, the device automatically disables the password obscured feature (if enabled).