Encrypting Shadow directory

Unanswered Question
Mar 5th, 2009


Is there any way we can encrypt the contents of the rme shadow directory and unencrypt file as needed ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Joe Clarke Thu, 03/05/2009 - 17:17

I guess you could, but there is no way to automatically do this within LMS. For example, you could have a script that periodically encrypts files in this directory with PGP or something similar. LMS doesn't actually read the files here, so that will not cause a problem.

georgeef1 Thu, 03/05/2009 - 19:03

OK.. so there is no problems as CW2K backs up the files and add new ones, usually encryption scripts would create a file extension so if we have routera.cfg and encrypt it, and a change occurs, it would go back to routera.cfg ? I guess we would need to add logic to the script to do this ?


Joe Clarke Thu, 03/05/2009 - 19:26

As RME updates the configs, new unencrypted .cfg files would be created. Your periodic encrypter would need to have some logic to check for changes, and encrypt the new files.

Marvin Rhoads Fri, 03/06/2009 - 04:40

If your server OS is Windows, why not just make the directory (or entire disk) encrypted using Bit Locker or NTFS file encryption? Of course, a user with server credentials (local or AD domain-based) may be able to access the files, but I would suppose you know that. (They could be further locked down with a Windows ACL policy.)

Hope this helps. Please rate the post if it does.

georgeef1 Mon, 03/09/2009 - 05:03


I am looking at using NTFS explicit.. but was wondering with all the encryption will the internal stuff still work -> like config searches, compliance templates etc.. ?

Please suggest !

Marvin Rhoads Mon, 03/09/2009 - 08:02

Remember that the CiscoWorks processes are running as services (owned by the system) on the NT platform. As such, they essentially have "root" level access and are able to access files with credentials appropriate to that level.

You might want to read up on BitLocker deployment at Microsoft's web site. See http://technet.microsoft.com/en-us/windows/aa905065.aspx , for example.

I hope this helps. Please rate this post if it does.

Joe Clarke Mon, 03/09/2009 - 09:30

This is not actually true. Most of the CiscoWorks daemons run as casuser, and do not have system-level access. In particular, ConfigMgmtServer runs as casuser, and it is responsible for reading and writing configurations.

That said, transparent encryption of the shadow directory should not be a problem. As I said before, the shadow directory is essentially write-only from the perspective of LMS.

Encryption or compression of other LMS directories may result in functional and performance problems within LMS. Such configurations have not been officially tested.

Marvin Rhoads Mon, 03/09/2009 - 11:02

Thanks for the correction, Joe. I had forgotten about the casuser user name. Still, isn't casuer usually part of at least the administrators group (or the power users group)?

The BitLocker deployment guide does note some hit (single digit percentage) on the performance of disk susbystems when using that technology.

georgeef1 Mon, 03/09/2009 - 11:41


Looks like we are going disable the shadow directory, what we would like to know if there will be or potential to have impact on the running of the application in other functions, like config search, baseline template compliance checker / deployment, config versions etc..

Also, we would like to see that anything that would be in the files directory be encrypted in a future release of LMS.

If we go ahead and develop our own encryption solution, and decide to encrypt the file directory structure, how would this impact job reports and other functions of ciscoworks. ?

Please be advised, I am under tight time line for answers due to info sec audit.

Joe Clarke Mon, 03/09/2009 - 12:54

Disabling the shadow directory will not affect other LMS functions. It just means you will not have easy access to the latest config from each device outside of RME.

You should have your account team file a Product Enhancement Request on your behalf requesting encryption support.

I cannot say for certain what effect encryption will have on critical LMS directories. We never tested such a scenario. My guess would be the only impact would be an slight performance hit, but there could be functional issues as well. I would have to recommend against it at this time.


This Discussion