Tagging on to this discussion from another thread in the forum:
Actually the answer to this question is very highly release dependent. Earlier releases did not support it. Current releases do. I am not sure where the change is and believe it may be a 12.3 (or maybe even a 12.3T) enhancement. I have quite a few routers (most with TACACS and some with Radius) where the key is encrypted. When I started with those routers the key was not encrypted. At some point in doing a software version upgrade the keys for TACACS/Radius started being encrypted.
The encryption of the TACACS/Radius key is part of the service password encryption. The service has been enhanced several times to increase the number of keys that it protects. If you have service password encryption enabled (and in a live network I hope that you do) and have a release that supports the new enhancement your TACACS/Radius key will be encrypted automatically. If your version of IOS does not support it yet the key will not be encrypted.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...