6.14 Ensure Configuration File Encryption is Set

Information

Configuration files should be encrypted.

Rationale:

On many JUNOS platforms the configuration files are stored on a removal flash file system.

A malicious user with even momentary physical access to the router could readily remove the flash card, gaining access to the device's configuration which is likely to contain extremely sensitive details.

Exposure to this type of attack increased in Branch Office or Customer Premises Equipment (CPE) installations or where devices are transported by third parties post configuration.

To prevent an attacker accessing the configuration files from flash, JUNOS Devices offer a facility to encrypt the /config and /var/db/config directories using AES or DES algorithms.

Note - Export restrictions mean that AES is not available in all regions.

Impact:

The configuration files will be encrypted on storage and the JUNOS Device will use the key stored in it's EEPROM to decrypt the configuration file at boot.

Adding the unique option will cause the JUNOS Device to combine the device Serial Number with the entered key when creating the Encryption Key, meaning that the configuration can only be loaded by this JUNOS Device - even with the key being configured.

Solution

To enable Configuration File Encryption, you must first set an encryption key by issuing the following command from Operational Mode:

user@host>request system set-encryption-key

You will be prompted to enter and then verify the key.
The preferred encryption algorithm may be specified by adding the algorithm option, or left as default. If the device is running the US/Domestic version of JUNOS the default algorithm will be AES. Devices running the Export version of JUNOS will default to the weaker DES standard and cannot be configured to support AES.
Optionally, the unique option may be specified. This will cause JUNOS to combine the device's Serial Number as part of the Encryption Key, making the configuration unloadable on any other JUNOS device, even with the key set at the prompt.
Once a key has been set the following command should be issued from the [edit system] hierarchy:

[edit system]
user@host# set encrypt-configuration-files

The encryption will not be carried out until the configuration is committed.

Default Value:

Configuration file encryption is disabled by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: e99b0128e588b17e1e0bfa1811433974e771ba4d9b966401aacc442a2797a785