There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:
- VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
- AAA server secret key when communicating with a RADIUS server.
- Routing Protocols keys (for OSPF, EIGRP).
- Secret key for failover communication.
- Password to communicate with a Log Server.
- VPN Load Balancing key
All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file. For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.
Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.
If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.
1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.
ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey
The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:
2) Enable Password Encryption and save the configuration
ASA(config)# password encryption aes
ASA(config)# write mem
- If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
- If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.
- How to Configure Static Routing on Cisco ASA Firewall
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)
- Cisco ASA Active-Standby Failover Configuration Example
- Configuring a Warning Login Banner on Cisco ASA Firewall
- Cisco ASA NTP and Clock Configuration with Examples