To enter the Secure Sensitive Data (SSD) command mode, use ssd config in Global Configuration mode. In this command mode, an administrator can configure how the sensitive data on the device, such as keys and passwords, is to be protected.

Syntax

ssd config

Parameters

This command has no arguments or keywords.

Command Mode

Global Configuration mode

User Guidelines

Only users with sufficient permission can use this command, which edits and displays the SSD configuration. See ssd rule for a description of these permissions.

Example

switchxxxxxx(config)# ssd config
switchxxxxxx(config-ssd)#

To change the passphrase in the system, use passphrase in SSD Configuration mode. A device protects its sensitive data by encrypting them using the key generated from the passphrase.

To reset the passphrase to the default passphrase, use the no passphrase.

Syntax

passphrase {passphrase}

encrypted passphrase {encrypted-passphrase}

no passphrase

Parameters

• passphrase—New system passphrase.

• encrypted-passphrase—The passphrase in its encrypted form.

Default Usage

If this command is not entered, the default passphrase is used.

Command Mode

SSD Configuration mode

User Guidelines

To use this command, enter passphrase and Enter, a confirmation message is displayed and the user must confirm the intention to change the passphrase. Then the passphrase can be entered (see example).

Encrypted passphrase is allowed only in the SSD Control Block of a source file that is being copied to the startup configuration file (user cannot manually enter this command).

When generating a passphrase, the user must use 4 different character classes (similar to strong password/passwords complexity). These can be: uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard.

Example

The following example defines a decrypted passphrase.

switchxxxxxx(config-ssd)# passphrase
This operation will change the system SSD passphrase. Are you sure? (Y/N)[N] Y
Please enter SSD passphrase:**********
Please reenter SSD passphrase:**********

To configure an SSD rule, use ssd rule in SSD Configuration mode. A device grants read permission of sensitive data to users based on the SSD rules. A user that is granted Both or Plaintext read permission is also granted permission to enter SSD Configuration mode.

To delete user-defined rules and restore default rules, use no ssd rule.

Syntax

[encrypted] SSD rule {all | level-15 | default-user | user user-name}

{secure | insecure | secure-xml-snmp | insecure-xml-snmp}

permission {encrypted-only | plaintext-only | both | exclude}

default-read {encrypted | plaintext | exclude}

no ssd rule [ {all | level-15 | default-user | user user-name}

{secure | insecure | secure-xml-snmp | insecure-xml-snmp}]

Command Mode

SSD Configuration mode.

Default Rules

The device has the following factory default rules:

User Guidelines

Use no ssd rule to delete a user-defined rule or to restore the default of a modified default rule.

Use no ssd rule (without parameters) to remove all SSD rules and restore the default SSD rules. A confirmation message will be displayed asking permission to do this. To delete specific rules (applicable for the user defined), provide parameters specifying the user and security of the channel.

encrypted SSD rule is used to copy an SSD rule from one device to another in a secure manner.

You can modify but cannot delete the default SSD rules. The following is the order in which SSD rules are applied:

• The SSD rules for specified users.

• The SSD rule for the default-user (cisco).

• The SSD rules for level-15 users.

• The remaining SSD rules for all.

The user can enter the commands in any order.The ordering is done implicitly by the device.

To present the current SSD rules; the rules will be displayed as plaintext, use show ssd rules in SSD Configuration mode.

Syntax

show SSD [rules | brief]

Parameters

• rules—(Optional) Display only the SSD rules.

• brief—(Optional) Display the encrypted passphrase, File Passphrase Control and File Integrity attributes.

Command Mode

SSD Configuration mode

Default Configuration

Display all SSD information.

To override the current SSD default read of the current session, use ssd session read in Global Configuration mode.

Syntax

ssd session read {encrypted | plaintext | exclude}

no ssd session read

Parameters

• encrypted—Override the SSD default option to encrypted

• plaintext—Override the SSD default option to plaintext

• exclude—Override the SSD default option to exclude

Command Mode

Global Configuration mode.

Default

The command itself does not have a default. However, note that the read mode of the session itself, defaults to the default read mode of the SSD rule that the device uses to grant SSD permission to the user of the session.

User Guidelines

Use no ssd session read to restore the default read option of the SSD rules. This configuration will be allowed only if the user of the current session has sufficient read permissions; otherwise, the command will fail and an error will be displayed. The setting will take effect immediately and will terminate when the user restores the settings or exits the session.

Example

switchxxxxxx(config)# ssd session read plaintext

To view the SSD read permission and default read mode of the user of the current session, use show ssd session in Privileged EXEC mode.

Syntax

show ssd session

Command Mode

Privileged EXEC mode

Default

None

Examples

switchxxxxxx# show ssd session 
User Name/Level: James / Level 15
User Read Permission:  Both
Current Session Read mode: Plaintext

To provide an additional level of protection when copying configuration files to the startup configuration file, use ssd file passphrase control in SSD Configuration mode. The passphrase in a configuration file is always encrypted with the default passphrase key

Syntax

ssd file passphrase control {restricted | unrestricted}

no ssd file passphrase control

Parameters

• Restricted—In this mode, a device restricts its passphrase from being exported into a configuration file. Restricted mode protects the encrypted sensitive data in a configuration file from devices that do not have the passphrase. The mode should be used when a user does not want to expose the passphrase in a configuration file.

• Unrestricted—In this mode, a device will include its passphrase when creating a configuration file. This allows any devices accepting the configuration file to learn the passphrase from the file.

Default

The default is unrestricted.

Command Mode

SSD Configuration mode.

User Guidelines

To revert to the default state, use the no ssd file passphrase control command.

Note that after a device is reset to the factory default, its local passphrase is set to the default passphrase. As a result, the device will not be able to decrypted sensitive data encrypted with a user-defined passphrase key in its own configuration files until the device is manually configured with the user-passphrase again or the files are created in unrestricted mode.

If a user-defined passphrase in Unrestricted mode are configured, it is highly recommended to enable SSD File Integrity Control. Enabling SSD File Integrity Control protects configuration files from tampering.

Examples

console(ssd-config)# ssd file passphrase control restricted
console(ssd-config)# no ssd file passphrase control

To instruct the device to protect newly-generated configuration files that contain encrypted sensitive data from tampering, use ssd file integrity control command in SSD Configuration mode.

To disable Integrity Control, use no ssd file integrity control.

Syntax

ssd file integrity control enabled

no ssd file integrity control

Parameters

• enabled—Enable file integrity control to protect newly-generated configuration files from tampering.

Default

The default file input control is disable.

Command Mode

SSD Configuration mode.

User Guidelines

TA user can protect a configuration file from being tampered by creating the file with File Integrity Control enabled. It is recommended that File Integrity Control be enabled when a devices users a user-defined passphrase with Unrestricted Configuration File Passphrase Control.

A device determines whether the integrity of a configuration file is protected by examining the File Integrity Control command in the file. If a file in integrity-protected, but a device finds the integrity of the file is not intact, the device rejects the file. Otherwise, the file is accepted for further processing.

Examples

switchxxxxxx(config-ssd)#  ssd file integrity control enabled

When File Integrity is enabled, an internal digest command is added to the end of the entire configuration file. This is used in downloading the configuration file to the startup configuration.

config-file-digest 0AC78001122334400AC780011223344