1.4.2 Configure Password Encryption

Information

You can enable strong, reversible 128-bit Advanced Encryption Standard (AES) password encryption, also known as type-6 encryption. To start using type-6 encryption, you must enable the AES password encryption feature and configure a master encryption key, which is used to encrypt and decrypt passwords. After you enable AES password encryption and configure a master key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords.

Rationale:

Encryption is a good way to protect data that will be used later. Encrypted data can later be decrypted to its original value. Although encrypting passwords protects them, typically, an application uses the same encryption key for storing all user passwords.

Impact:

Encryption of passwords is used to protect it from being sent over the wire cleartext. By applying encryption you are making it more difficult for an adversary to gain access to your device/network

Solution

Configure a master key to be used with the AES password encryption feature. The key can contain between 16 and 32 alphanumeric characters

switch# key config-key ascii
New Master Key:
Retype Master Key:

switch(config)# feature password encryption aes

See Also

https://workbench.cisecurity.org/benchmarks/6524

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, MEDIA PROTECTION

References: 800-53|IA-5(1), 800-53|MP-5, 800-53|MP-7, CSCv7|4.4, CSCv7|5.1, CSCv7|14.8

Plugin: Cisco

Control ID: 5fc02a9c02efbd26efd65fc6dff9a3f17b7ed326b1bac478782b9049cad683dc