Defines the master key passphrase used for to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above. Rationale: For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys. From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location. It improves the security because the master key is never displayed in the running-configuration.
Solution
* Step 1: Set the master key passphrase with the following command: HOSTNAME (CONFIG)# KEY CONFIG-KEY PASSWORD-ENCRYPTION _<passphrase>_ The passphrase is between 8 and 128 characters long * Step 2: Enable the AES encryption of existing keys of the running-configuration HOSTNAME(CONFIG)# PASSWORD ENCRYPTION AES * Step 3: Run the following for the encryption of keys in the startup-configuration HOSTNAME(CONFIG)# WRITE MEMORY