1.1.3 Ensure 'Master Key Passphrase' is set

Information

Defines the master key passphrase used to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.

Rationale:

For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.

From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.

It improves the security because the master key is never displayed in the running-configuration.

Solution

Step 1: Set the master key passphrase with the following command:

hostname (config)# key config-key password-encryption <passphrase>

The passphrase is between 8 and 128 characters long

Step 2: Enable the AES encryption of existing keys of the running-configuration

hostname(config)# password encryption aes

Step 3: Run the following for the encryption of keys in the startup-configuration

hostname(config)# write memory

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-9, 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|18.5

Plugin: Cisco

Control ID: 759729b405d03e643c10b1fcc3150ca886cffd84a67f50565a2c2e7cc8049893