Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
10
Helpful
3
Replies

Using encrypted hard drives with CLI

TW80CJ5
Level 3
Level 3

‎06-28-2021 09:54 AM

Hello All,

 

Anyone have any luck using an encrypted hard drive within Cisco CLI? I need to provide a secure solution to move configurations and IOS updates onto devices. The client is requiring the use of encrypted hard drives.

 

Thoughts / Suggestions????

 

Here is what I am trying to use:

 

: https://www.amazon.com/Kingston-8GB-Traveler-Encrypted-DTVP30/dp/B00G31OPB0/ref=psdc_3151491_t2_B00G31OP56#

 

  1.  https://www.amazon.com/gp/product/B0061DCKQ2/ref=ox_sc_act_title_1?smid=A3VAXQVD2J6565&psc=1

 

  1.  https://www.amazon.com/Apricorn-256-bit-Encrypted-Validated-ASK3-NX-8GB/dp/B07GKZWB6N/ref=sr_1_3?dchild=1&keywords=encrypted%2Busb%2Bdrive&qid=1624896046&sr=8-3&th=1
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎06-28-2021 10:36 PM

 

 - IOS has no support for that , meaning if the device does it encrypting 'local' , it may work,  IOS won't bother.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Dan Frey
Cisco Employee
Cisco Employee

‎06-29-2021 08:12 AM - edited ‎06-29-2021 08:18 AM

There are tcl models that can do encryption/decryption like aes.tcl.   To use the aes.tcl module users need to create read/write channels to create files.   There are three files in the crypt_keeper.zip file below being used as an example.   1) aes.tcl file  2) crypt_keeper.tcl to do encryption 3) decrypt_keeper.tcl for decryption.   

Encryption: crypt_keeper.tcl calls the aes.tcl file to encrypt the running config and write this to the router media drive as file called cipherconfig.   

Decryption: decrypt_keeper.tcl reads in cipherconfig file and decrypts and writes to router media as file plaintext.   

 

The scripts dynamically discover the router media but this could be changed to write to usbflash0:.   aes.tcl file should not be modified but the other two files can be modified based on requirements.  first argument "donotEnter123456" is the encryption key and the same key needs to be entered to successfully decrypt.

 

lab-csr20#tclsh bootflash:crypt_keeper.tcl donotEnter123456

***Please wait.  Encrypting running config to bootflash:cipherconfig***
view encrypted file
lab-csr20#more bootflash:cipherconfig
00000000:  F78BCCE1 EC252FC3 0E7F4BC1 54BFC00B    w.La l%/C ..KA T?@.
00000010:  1C3157F5 C479555C DC58F469 DCED75FF    .1Wu DyU\ \Xti \mu.
00000020:  E353D1F7 C406150B 0EA5EF77 60DFC11C    cSQw D... .%ow `_A.
00000030:  BBA510A9 CEC48883 7E356A73 C81B63F5    ;%.) ND.. ~5js H.cu
00000040:  2D461773 51D14080 8870A6DB E2050B48    -F.s QQ@. .p&[ b..H
00000050:  FBDB30B9 404CA51F A5922305 D5600631    {[09 @L%. %.#. U`.1
00000060:  80C19B2D 49C76888 D81C5597 8AFD1E2F    .A.- IGh. X.U. .}./
<truncate>

decrypt bootflash:cipherconfig to bootflash:plaintext
lab-csr20#tclsh bootflash:decrypt_keeper.tcl donotEnter123456

  Please wait decrypting config using key donotEnter123456

lab-csr20#more bootflash:plaintext

Building configuration...



Current configuration : 10481 bytes

!

! Last configuration change at 14:28:38 UTC Tue Jun 29 2021 by admin

!

version 17.4

service timestamps debug datetime msec

service timestamps log datetime msec

service call-home

platform qfp utilization monitor load 80

 

crypt_keeper.zip

TW80CJ5
Level 3
Level 3
In response to Dan Frey

‎06-29-2021 10:43 AM

Wow! That is very impressive. I will test out on our devices and follow up for sure. It may take a few days. Thank you!!!!

0 Helpful
Customers Also Viewed These Support Documents