Cisco Systems SF300-24P, SG30052PK9NA, SRW2024PK9NA, SRW224G4K9AR, SRW224G4PK9NA, SRW248G4PK9NA Configuration File Passphrase Control, Configuration File Integrity Control

Security: Secure Sensitive Data Management

SSD Properties

Cisco Small Business 300 Series Managed Switch Administration Guide 368

automatically changed to the passphrase in the startup configuration file, when the

startup configuration becomes the running configuration of the device. When a

device is reset to factory default, the local passphrase is reset to the default

passphrase.

Configuration File Passphrase Control

File passphrase control provides additional protection for a user-defined

passphrase, and the sensitive data that are encrypted with the key generated

from the user-defined passphrase, in text-based configuration files.

The following are the existing passphrase control modes:

•Unrestricted (default)—The device includes its passphrase when creating a

configuration file. This enables any device accepting the configuration file

to learn the passphrase from the file.

•Restricted—The device restricts its passphrase from being exported into a

configuration file. Restricted mode protects the encrypted sensitive data in

a configuration file from devices that do not have the passphrase. This

mode should be used when a user does not want to expose the passphrase

in a configuration file.

After a device is reset to the factory default, its local passphrase is reset to the

default passphrase. As a result, the device will be not able to decrypt any

sensitive data encrypted based on a user-defined passphrase entered from a

management session (GUI/CLI), or in any configuration file with restricted mode,

including the files created by the device itself before it is reset to factory default.

This remains until the device is manually reconfigured with the user-defined

passphrase, or learns the user-defined passphrase from a configuration file.

Configuration File Integrity Control

A user can protect a configuration file from being tampered or modified by

creating the configuration file with Configuration File Integrity Control. It is

recommended that Configuration File Integrity Control be enabled when a device

uses a user-defined passphrase with Unrestricted Configuration File Passprhase

Control.

CAUTION Any modification made to a configuration file that is integrity protected is

considered tampering.

Cisco Systems Configuration File Passphrase Control, Configuration File Integrity Control