Cisco ASA Master PassPhrase (How to Show Encrypted Password)

There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:

• VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
• AAA server secret key when communicating with a RADIUS server.
• Routing Protocols keys (for OSPF, EIGRP).
• Secret key for failover communication.
• Password to communicate with a Log Server.
• VPN Load Balancing key
• Etc

All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file.

For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.

Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.

If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature.

The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.

Master Passphrase Password Encryption Configuration

1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.

ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey

The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:

2) Enable Password Encryption and save the configuration

ASA(config)# password encryption aes
ASA(config)# write mem

NOTEs:

• If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
• If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.

If you Lose the Master Passphrase you must do the following:

• Erase the configuration using “write erase” command.
• Reload the ASA firewall appliance (with the “reload” command)

Notes:

• Note that the above will remove the master password but will also remove the configuration containing the encrypted passwords.
• Note that all of the above configurations are accepted only if you are connected to the ASA using a secure encrypted method over the network, such as SSH or HTTPs.
• If you already have a master password configured and try to set a new one, the appliance will ask you first for the old master passphrase before allowing to set a new one.