1.1.3 Ensure 'Master Key Passphrase' is set

Information

Defines the master key passphrase used for to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.

Rationale:

For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.

From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.

It improves the security because the master key is never displayed in the running-configuration.

Solution

Step 1: Set the master key passphrase with the following command:

hostname (config)# key config-key password-encryption <passphrase>

The passphrase is between 8 and 128 characters long

Step 2: Enable the AES encryption of existing keys of the running-configuration

hostname(config)# password encryption aes

Step 3: Run the following for the encryption of keys in the startup-configuration

hostname(config)# write memory

See Also

https://workbench.cisecurity.org/files/3246

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12, CSCv7|18.5

Plugin: Cisco

Control ID: b1b60d319ad99a29c65b6e9a8f558ffaa7dacf8d1d60236008c1fd56f70ceec3