Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
31323334353637383940
Figure 10 Creating an encrypted password
Encrypting credentials in the configuration file
A security risk is present when credentials used for authentication to remote devices such as RADIUS
or TACACS+ servers are displayed in the configuration file in plain text. The
encrypt-credentials command allows the storing, displaying, and transferring of credentials
in encrypted form.
When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using
aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HP
networking devices is used. This allows transfer of configurations with all relevant credentials and
provides much more security than plaintext passwords in the configuration.
Additionally, you can set a separate, 256-bit pre-shared key, however, you must now set the
pre-shared key on the destination device before transferring the configuration. The pre-shared key
on the destination device must be identical to the pre-shared key on the source device or the affected
security credentials will not be usable. This key is only accessible using the CLI, and is not visible
in any file transfers.
NOTE: It is expected that plaintext passwords will continue to be used for configuring the switch.
The encrypted credentials option is available primarily for the backup and restore of configurations.
Only the aes-256-cbc encryption type is available.
Enabling Encrypt-Credentials
To enable encrypt-credentials, enter this command.
Syntax:
[no] encrypt-credentials [pre-shared-key <plaintext | hex>]
When encrypt-credentials is enabled without any parameters, it enables
the encryption of relevant security parameters in the configuration.
The [no] form of the command disables the encrypt-credentials feature. If
specified with pre-shared-key option, clears the preshared- key used to
encrypt credentials.
NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in
enhanced secure mode, commands that take a secret key as a parameter have the
echo of the secret typing replaced with asterisks. The input for <keystring>is
prompted for interactively. For more information, see “Secure Mode (3800, 5400zl,
and 8200zl Switches)” (page 498).
pre-shared-key
When specified, sets the pre-shared-key that is used for all AES encryption. If
no key is set, an HP switch default AES key is used.
Default
HP switch default AES key
plaintext
Set the key using plaintext.
36 Configuring Username and Password Security