Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure Master Passphrase on ASA

 

 

Introduction

 

The master passphrase feature allows you to securely store plain text  passwords in encrypted format. The master passphrase provides a key that  is used to universally encrypt or mask all passwords, without changing  any functionality. Passwords that take advantage of this feature  include:

 

  • OSPF
  • EIGRP
  • VPN load balancing
  • VPN (remote access and site-to-site)
  • Failover
  • AAA servers
  • Logging
  • Shared licenses

 

Prerequisites

 

  • If failover is enabled but no failover shared key  is set, then changing the master passphrase displays an error message,  informing you that a failover shared key must be entered to protect the  master passphrase changes from being sent as plain text.
  • This procedure will only be accepted in a secure session, for example by console, SSH or ASDM via HTTPS.

 

 

Configuration:

 

Setting up new key

 

hostname(config)# key config-key password-encryption iattacku2
 

 

Setting up new key interactively

 

hostname (config)# key config-key password-encryption

New key: try2attack

Confirm key:try2attack

 

Changing the old key

 

Hostname (config)# key config-key password-encryption try2attack

Old key: iattacku2

 

 

Changing the old key interactively

 

hostname (config)# key config-key password-encryption

Old key: iattacku2

New key: try2attack

Confirm key: try2attack

 

Disabling the Master Passphrase

 

Note:You must know the current master passphrase to disable it.This procedure will only be accepted in a secure session, for example by console, SSH or ASDM via HTTPS.

 

hostname(config)# no key config-key  password-encryption

 

Warning! You have chosen to revert the encrypted passwords to plain text. This

operation will expose passwords in the configuration and therefore exercise caution

while viewing, storing, and copying configuration.

 

 

Old key: try2attack

 

hostname(config)# write memory

 

Note: If the master passphrase is lost or unknown, it could be removed by using the write erase command followed by the reload command. This removes the master key along with the configuration containing the encrypted passwords.

 

 

 

 

 

Related  Information

 

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/basic.html#wp1087850

Version history
Revision #:
2 of 2
Last update:
‎08-23-2017 10:47 PM
Updated by:
 
Labels (1)
Contributors