Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Disabling the Master Passphrase

17-6

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter17 Configuring Basic Settings

Configuring the Master Passphrase

If you later disable password encryption, all existing encrypted passwords are left unchanged, and as

long as the master passphrase exists, the encrypted passwords will be decrypted as required by the

application.

Step3 Check the Change the encryption master passphrase check box to enable you to enter and confirm

your new master passphrases. By default, they are disabled.

Your new master passphrase must be between 8 and 128 characters long.

If you are changing an existing passphrase, you must enter the old passphrase before you can enter a new

one.

To delete the master passphrase, leave the New and Confirm master passphrase fields blank.

Step4 Click Apply.

When you click Apply, warning messages appear under the following conditions:

•The Change the encryption master passphrase field is enabled, and the new master passphrase field

is empty. The no key configuration-key password-encrypt command is then sent to the device.

•The old master passphrase does not match the hash value in the show password encryption

command output.

•You use non-portable characters, particularly those with the high-order bit set in an 8-bit

representation.

•A master passphrase and failover are in effect, then an error message appears in an attempt to remove

the failover shared key.

•Encryption is disabled, but a new or replacement master passphrase is supplied. Click OK or Cancel

to continue.

•If the master passphrase is changed in multiple security context mode.

•If Active/Active failover is configured and the master passphrase is changed.

•If any running configurations are configured so that their configurations cannot be saved to their

server, such as with context config-URLs that use HTTP or HTTPS and the master passphrase is

changed.

Disabling the Master Passphrase

Disabling the master passphrase reverts encrypted passwords into plain text passwords. Removing the

passphrase might be useful if you downgrade to a previous software version that does not support

encrypted passwords.

Prerequisites

Step1 You must know the current master passphrase to disable it. If you do not know the passphrase, see the

“Recovering the Master Passphrase” section on page17-7.In sing le context mode, choose

Configuration > Device Management > Advanced > Master Passphrase.

In multiple context mode, choose Configuration > Device Management > Device Administration >

Master Passphrase.

Step2 Check the Advanced Encryption Standard (AES) password encryption check box.

Cisco Systems Disabling the Master Passphrase