https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298720#M415003 <P>The ASA can encrypt local&nbsp;passwords (and a community-string is also a password) in the config. For that password-encryption has to be configured:</P> <PRE>key config-key password-encryption SUPER-SECRET-KEY password encryption aes </PRE> <P>The key will not be visible in the config and the ASA can't use the encrypted keys until you configure the line with the config-key. That is meant with "deferred".</P> Tue, 19 Dec 2017 15:58:48 GMT Karsten Iwen 2017-12-19T15:58:48Z https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298668#M415001 <P>&nbsp;</P> <P>The following now appears in my ASA config file:</P> <P>(obfuscated hash)</P> <PRE>! The following entry is deferred until the password encryption key is specified. snmp-server community 8 jX1ZpJ8wlsJWIYJFHHnXF4htTLcjPvQPHGM=</PRE> <P>The snmp V2c works.&nbsp;</P> <P>&nbsp;</P> <P>Google search for the string "The following entry is deferred until the password encryption key is specified." returns nothing useful.</P> <P>So what does "deferred" mean?</P> <P>What is a "password encryption key?"</P> Fri, 21 Feb 2020 14:58:53 GMT https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298668#M415001 ericx 2020-02-21T14:58:53Z https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298720#M415003 <P>The ASA can encrypt local&nbsp;passwords (and a community-string is also a password) in the config. For that password-encryption has to be configured:</P> <PRE>key config-key password-encryption SUPER-SECRET-KEY password encryption aes </PRE> <P>The key will not be visible in the config and the ASA can't use the encrypted keys until you configure the line with the config-key. That is meant with "deferred".</P> Tue, 19 Dec 2017 15:58:48 GMT https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298720#M415003 Karsten Iwen 2017-12-19T15:58:48Z https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298857#M415005 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/325766">@Karsten Iwen</a> wrote:<BR /> <P>The ASA can encrypt local&nbsp;passwords (and a community-string is also a password) in the config. For that password-encryption has to be configured:</P> <PRE>key config-key password-encryption SUPER-SECRET-KEY password encryption aes </PRE> <P>The key will not be visible in the config and the ASA can't use the encrypted keys until you configure the line with the config-key. That is meant with "deferred".</P> <HR /></BLOCKQUOTE> <P>That's pretty clear; but it begs a few more questions..</P> <P>- How is it that the community string is hashed if no config-key has been supplied?</P> <P>- More to the point, the snmp v2c community string works fine from remote machines; so presumably it's not "deferred?"</P> <P>&nbsp;</P> Tue, 19 Dec 2017 19:32:03 GMT https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298857#M415005 ericx 2017-12-19T19:32:03Z https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298883#M415006 <P>Actually, you should just see the encrypted string and not a hash.</P> <P>If it works, it could be because of the rest of the config/setup that you didn't show. Hard to tell.</P> Tue, 19 Dec 2017 20:22:26 GMT https://community.cisco.com/t5/network-security/asa-9-3-2-wants-quot-password-encryption-key-quot/m-p/3298883#M415006 Karsten Iwen 2017-12-19T20:22:26Z