Encrypted Preshared Key

The Encrypted Preshared Key feature allows you to securely store plain text passwords in type 6 (encrypted) format in NVRAM.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Encrypted Preshared Key

  • Old ROM monitors (ROMMONs) and boot images cannot recognize the new type 6 passwords. Therefore, errors are expected if you boot from an old ROMMON.

  • For Cisco 836 routers, please note that support for Advanced Encryption Standard (AES) is available only on IP plus images.

Information About Encrypted Preshared Key

Using the Encrypted Preshared Key Feature to Securely Store Passwords

Using the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key command with the password encryption aes command to configure and enable the password (symmetric cipher AES is used to encrypt the keys). The password (key) configured using the config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.

If you configure the password encryption aescommand without configuring the key config-key command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured: 

“Can not encrypt password. Please configure a configuration-key with ‘key config-key’”

Changing a Password

If the password (master key) is changed, or reencrypted, using the key config-key password-encryptioncommand), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.

Deleting a Password

If the master key that was configured using the key config-key password-encryptioncommand is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the software. However, passwords can be reencrypted as explained in the previous paragraph.


Caution

If the password configured using the key config-key password-encryptioncommand is lost, it cannot be recovered. The password should be stored in a safe location.

Unconfiguring Password Encryption

If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryptioncommand exists, the type 6 passwords will be decrypted as and when required by the application.

Storing Passwords

Because no one can “read” the password (configured using the key config-key password-encryptioncommand), there is no way that the password can be retrieved from the router. Existing management stations cannot “know” what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryptioncommand). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.

Configuring New or Unknown Passwords

If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:

“ciphertext>[for username bar>] is incompatible with the configured master key.”

If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.

If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryptioncommand. Deleting the master key using the no key config-key password-encryptioncommand causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.

Enabling the Encrypted Preshared Key

The password encryption aes command is used to enable the encrypted password.

How to Configure an Encrypted Preshared Key

Configuring an Encrypted Preshared Key

To configure an encrypted preshared key, perform the following steps.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    key config-key password-encryption [text]

    4.    password encryption aes


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 key config-key password-encryption [text]


    Example:
    Router (config)# key config-key password-encryption
     

    Stores a type 6 encryption key in private NVRAM.

    • If you want to key in interactively (using the enter key) and an encrypted key already exists, you will be prompted for the following: Old key, New key, and Confirm key.

    • If you want to key in interactively but an encryption key is not present, you will be prompted for the following: New key and Confirm key.

    • If you want to remove the password that is already encrypted, you will see the following prompt: “WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion? [yes/no]:”.

     
    Step 4 password encryption aes


    Example:
    Router (config)# password-encryption aes
     

    Enables the encrypted preshared key.

     

    Troubleshooting Tips

    If you see the warning message “ciphertext >[for username bar>] is incompatible with the configured master key,” you have entered or cut and pasted cipher text that does not match the master key or there is no master key. (The cipher text will be accepted or saved.) The warning message will allow you to locate the broken configuration line or lines.

    Monitoring Encrypted Preshared Keys

    To get logging output for encrypted preshared keys, perform the following steps.

    1. enable

    2. password logging

    SUMMARY STEPS

      1.    enable

      2.    password logging


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 password logging


      Example:
      Router# password logging
       

      Provides a log of debugging output for a type 6 password operation.

       

      Examples

      The following password logging debug output shows that a new master key has been configured and that the keys have been encrypted with the new master key: 

      Router (config)# key config-key password-encrypt 
New key: 
Confirm key: 
Router (config)#
01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys with 
the new master keypas
Router (config)# key config-key password-encrypt 
Old key: 
New key: 
Confirm key: 
Router (config)#
01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keys 
with the new master key
01:42:11: TYPE6_PASS: Mac verification successful
01:42:11: TYPE6_PASS: Mac verification successful
01:42:11: TYPE6_PASS: Mac verification successful

      What To Do Next

      You can perform any of the following procedures. Each procedure is independent of the others.

      Configuring an ISAKMP Preshared Key

      To configure an ISAKMP preshared key, perform the following procedure.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    crypto isakmp key keystring address peer-address

        4.    crypto isakmp key keystring hostname hostname


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router# enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Router# configure terminal
         

        Enters global configuration mode.

         
        Step 3 crypto isakmp key keystring address peer-address


        Example:
        Router (config)# crypto isakmp key cisco address 10.2.3.4
         

        Configures a preshared authentication key.

        • The peer-address argument specifies the IP address of the remote peer.

         
        Step 4 crypto isakmp key keystring hostname hostname


        Example:
        Router (config)# crypto isakmp key mykey hostname mydomain.com
         

        Configures a preshared authentication key.

        • The hostname argument specifies the fully qualified domain name (FQDN) of the peer.

         

        Example

        The following sample output shows that an encrypted preshared key has been configured: 

        crypto isakmp key 6 _Hg[^^ECgLGGPF^RXTQfDDWQ][YAAB address 10.2.3.4
crypto isakmp key 6 `eR\eTRaKCUZPYYQfDgXRWi_AAB hostname mydomain.com

        Configuring an ISAKMP Preshared Key in ISAKMP Keyrings

        To configure an ISAKMP preshared key in ISAKMP keyrings, which are used in IPSec Virtual Route Forwarding (VRF) configurations, perform the following procedure.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    crypto keyring keyring-name

          4.    pre-shared-key address address key key

          5.    pre-shared-key hostname hostname key key


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router# enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example:
          Router# configure terminal
           

          Enters global configuration mode.

           
          Step 3 crypto keyring keyring-name


          Example:
          Router (config)# crypto keyring mykeyring
           

          Defines a crypto keyring to be used during Internet Key Exchange (IKE) authentication and enters keyring configuration mode.

           
          Step 4 pre-shared-key address address key key


          Example:
          Router (config-keyring)# pre-shared-key address 10.2.3.5 key cisco
           

          Defines a preshared key to be used for IKE authentication.

          • The address argument specifies the IP address of the remote peer.

           
          Step 5 pre-shared-key hostname hostname key key


          Example:
          Router (config-keyring)# pre-shared-key hostname mydomain.com key cisco
           

          Defines a preshared key to be used for IKE authentication.

          • The hostname argument specifies the FQDN of the peer.

           

          Example

          The following show-running-config sample output shows that an encrypted preshared key in ISAKMP keyrings has been configured. 

          crypto keyring mykeyring
  pre-shared-key address 10.2.3.5 key 6 `WHCJYR_Z]GRPF^RXTQfDcfZ]GPAAB
  pre-shared-key hostname mydomain.com key 6 aE_REHDcOfYCPF^RXTQfDJYVVNSAAB

          Configuring ISAKMP Aggressive Mode

          To configure ISAKMP aggressive mode, perform the following steps.

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    crypto isakmp peer ip-address ip-address

            4.    set aggressive-mode client-endpoint client-endpoint

            5.    set aggressive-mode password password


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Router# enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.

             
            Step 2 configure terminal


            Example:
            Router# configure terminal
             

            Enters global configuration mode.

             
            Step 3 crypto isakmp peer ip-address ip-address


            Example:
            Router (config)# crypto isakmp peer ip-address 10.2.3.4
             

            To enable an IP Security (IPSec) peer for IKE querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode and to enter ISAKMP peer configuration mode.

             
            Step 4 set aggressive-mode client-endpoint client-endpoint


            Example:
            Router (config-isakmp-peer)# set aggressive-mode client-endpoint fqdn cisco.com
             

            Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration.

             
            Step 5 set aggressive-mode password password


            Example:
            Router (config-isakmp-peer)# set aggressive-mode password cisco
             

            Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.

             

            Example

            The following show-running-config sample output shows that an encrypted preshared key in ISAKMP aggressive mode has been configured. 

            crypto isakmp peer address 10.2.3.4
 set aggressive-mode password 6 ^aKPIQ_KJE_PPF^RXTQfDTIaLNeAAB
 set aggressive-mode client-endpoint fqdn cisco.com

            Configuring a Unity Server Group Policy

            To configure a unity server group policy, perform the following steps.

            SUMMARY STEPS

              1.    enable

              2.    configure terminal

              3.    crypto isakmp client configuration group group-name

              4.    pool name

              5.    domain name

              6.    key name


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Router# enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.

               
              Step 2 configure terminal


              Example:
              Router# configure terminal
               

              Enters global configuration mode.

               
              Step 3 crypto isakmp client configuration group group-name


              Example:
              Router (config)# crypto isakmp client configuration group mygroup
               

              Specifies the policy profile of the group that will be defined and enters ISAKMP group configuration mode.

               
              Step 4 pool name


              Example:
              Router (config-isakmp-group)# pool mypool
               

              Defines a local pool address.

               
              Step 5 domain name


              Example:
              Router (config-isakmp-group)# domain cisco.com
               

              Specifies the Domain Name Service (DNS) domain to which a group belongs.

               
              Step 6 key name


              Example:
              Router (config-isakmp-group)# key cisco
               

              Specifies the IKE preshared key for group policy attribute definition.

               

              Example

              The following show-running-config sample output shows that an encrypted key has been configured for a unity server group policy: 

              crypto isakmp client configuration group mygroup
 key 6 cZZgDZPOE\dDPF^RXTQfDTIaLNeAAB
 domain cisco.com
 pool mypool

              Configuring an Easy VPN Client

              To configure an Easy VPN client, perform the following steps.

              SUMMARY STEPS

                1.    enable

                2.    configure terminal

                3.    crypto ipsec client ezvpn name

                4.    peer ipaddress

                5.    mode client

                6.    group group-name key group-key

                7.    connect manual


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 enable


                Example:
                Router# enable
                 

                Enables privileged EXEC mode.

                • Enter your password if prompted.

                 
                Step 2 configure terminal


                Example:
                Router# configure terminal
                 

                Enters global configuration mode.

                 
                Step 3 crypto ipsec client ezvpn name


                Example:
                Router (config)# crypto ipsec client ezvpn myclient
                 

                Creates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configuration mode.

                 
                Step 4 peer ipaddress


                Example:
                Router (config-isakmp-peer)# peer 10.2.3.4
                 

                Sets the peer IP address for the VPN connection.

                 
                Step 5 mode client


                Example:
                Router (config-isakmp-ezpvy)# mode client
                 

                Automatically configures the router for Cisco Easy VPN Client mode operation, which uses Network Address Translation (NAT) or Peer Address Translation (PAT) address translations.

                 
                Step 6 group group-name key group-key


                Example:
                Router (config-isakmp-ezvpn)# group mygroup key cisco
                 

                Specifies the group name and key value for the VPN connection.

                 
                Step 7 connect manual


                Example:
                Router (config-isakmp-ezvpn)# connect manual
                 

                Specifies the manual setting for directing the Cisco Easy VPN remote client to wait for a command or application program interface (API) call before attempting to establish the Cisco Easy VPN remote connection.

                 

                Example

                The following show-running-config sample output shows that an Easy VPN client has been configured. The key has been encrypted. 

                crypto ipsec client ezvpn myclient
 connect manual
 group mygroup key 6 gdMI`S^^[GIcPF^RXTQfDFKEO\RAAB
 mode client
 peer 10.2.3.4

                Configuration Examples for Encrypted Preshared Key

                Encrypted Preshared Key Example

                The following is an example of a configuration for which a type 6 preshared key has been encrypted. It includes the prompts and messages that a user might see.

                Router (config)# crypto isakmp key cisco address 10.0.0.2
Router (config)# exit
Router# show running-config | include crypto isakmp key
 crypto isakmp key cisco address 10.0.0.2
Router#
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router (config)# password encryption aes
 
Router (config)# key config-key password-encrypt
 
New key:
Confirm key:
Router (config)#
01:46:40: TYPE6_PASS: New Master key configured, encrypting the keys with
the new master key
Router (config)# exit
Router # show running-config | include crypto isakmp key
crypto isakmp key 6 CXWdhVTZYB_Vcd^`cIHDOahiFTa address 10.0.0.2

                No Previous Key Present Example

                In the following configuration example, no previous key is present: 

                Router (config)#

                Key Already Exists Example

                In the following configuration example, a key already exists: 

                Router (config)# 
Old key:
Router (config)#

                Key Already Exists But the User Wants to Key In Interactively Example

                In the following configuration example, the user wants to key in interactively, but a key already exists. The Old key, New key, and Confirm key prompts will show on your screen if you enter the key config-key command and press the enter key to get into interactive mode. 

                Router (config)#  
Old key:
New key:
Confirm key:

                No Key Present But the User Wants to Key In Interactively Example

                In the following example, the user wants to key in interactively, but no key is present. The New key and Confirm key prompts will show on your screen if you are in interactive mode. 

                Router (config)# 
 
New key:
Confirm key:

                Removal of the Password Encryption Example

                In the following configuration example, the user wants to remove the encrypted password. The “WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion? [yes/no]:” prompt will show on your screen if you are in interactive mode. 

                Router (config)# 
WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion ? [yes/no]: y

                Where to Go Next

                Configure any other preshared keys.

                Additional References

                Related Documents

                Related Topic

                Document Title

                Configuring passwords

                Cisco IOS Security Command Reference

                Standards

                Standards

                Title

                None

                --

                MIBs

                MIBs

                MIBs Link

                None

                To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

                http:/​/​www.cisco.com/​go/​mibs

                RFCs

                RFCs

                Title

                None

                --

                Technical Assistance

                Description

                Link

                The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

                http:/​/​www.cisco.com/​cisco/​web/​support/​index.html