How to hide pre-shared keys in the running-config

Answered Question
Sep 11th, 2008
User Badges:

Hi guys,


I've covered almost all passwords by issuing the command 'service password-encryption'


However, there is still one key that I am still able to see when I do "show run" and that is the pre-shared key that my router uses to establish an IPSec tunnel.


What is the command to hide this key?

Correct Answer by robertson.michael about 8 years 6 months ago

Hi Angel,


I'm glad that worked for you. Here are a few links that discuss the command:


Command Reference:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_k1gt.html#wp1179793


Configuration Example:

javascript:newWin('http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml')


-Mike

Correct Answer by robertson.michael about 8 years 6 months ago

Hi Angel,


Depending on what software version you are running on the router, you can use the 'key config-key password-encrypt ' command (requires IOS 12.3(2)T or later). Here is a link to the documentation for this feature:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml


Hope that helps.


-Mike


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
robertson.michael Thu, 09/11/2008 - 12:54
User Badges:
  • Silver, 250 points or more

Hi Angel,


Depending on what software version you are running on the router, you can use the 'key config-key password-encrypt ' command (requires IOS 12.3(2)T or later). Here is a link to the documentation for this feature:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml


Hope that helps.


-Mike


insccisco Thu, 09/11/2008 - 13:08
User Badges:

Mike, you're the best. thank you


this did the trick.


Can you send me a link where this new feature is explained in detail?



Correct Answer
robertson.michael Thu, 09/11/2008 - 14:16
User Badges:
  • Silver, 250 points or more

Hi Angel,


I'm glad that worked for you. Here are a few links that discuss the command:


Command Reference:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_k1gt.html#wp1179793


Configuration Example:

javascript:newWin('http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml')


-Mike

jamesgef Fri, 10/03/2008 - 12:30
User Badges:

However, for precautionary reasons and a better understanding of how secure this is, where and how is the master key stored?


I entered the master key for aes encryption, rebooted the router and tried changing the master key. Router correctly knew what the old master key was, therefore, needs to store the password somewhere.


Thanks!


James

Actions

This Discussion