10-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter10 Configuring Basic Settings
Configuring the Master Passphrase
Detailed Steps
Command Purpose
Step1 key config-key password-encryption
[new_passphrase [old_passphrase]]
Example:
hostname(config)# key config-key
password-encryption
Old key: bumblebee
New key: haverford
Confirm key: haverford
Sets the passphrase used for generating the encryption key. The
passphrase must be between 8 and 128 characters long. All
characters except a back space and double quotes are accepted
for the passphrase.
If you do not enter the new passphrase in the command, you are
prompted for it.
When you want to change the passphrase, you also have to
enter the old passphrase.
See the “Examples” section on page 10-9 for examples of the
interactive prompts.
Note Use the interactive prompts to enter passwords to avoid
having the passwords logged in the command history
buffer.
Use the no key config-key password-encrypt command with
caution, because it changes the encrypted passwords into plain
text passwords. You can use the no form of this command when
downgrading to a software version that does not support
password encryption.
Step2 password encryption aes
Example:
hostname(config)# password encryption aes
Enables password encryption. As soon as password encryption
is turned on and the master passphrase is available, all the user
passwords will be encrypted. The running configuration will
show the passwords in the encrypted format.
If the passphrase is not configured at the time that password
encryption is enabled, the command will succeed in
anticipation that the passphrase will be available in the future.
If you later disable password encryption using the no
password encryption aes command, all existing encrypted
passwords are left unchanged, and as long as the master
passphrase exists, the encrypted passwords will be decrypted,
as required by the application.
Step3 write memory
Example:
hostname(config)# write memory
Saves the runtime value of the master passphrase and the
resulting configuration. If you do not enter this command,
passwords in startup configuration may still be visible if they
were not saved with encryption before.
In addition, in multiple context mode the master passphrase is
changed in the system context configuration. As a result, the
passwords in all contexts will be affected. If the write memory
command is not entered in the system context mode, but not in
all user contexts, then the encrypted passwords in user contexts
may be stale. Alternatively, use the write memory all
command in the system context to save all configurations.