Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
3
Helpful
6
Replies

tailf:aes-256-cfb-128-encrypted-string question

Go to solution
sm000x
Level 1
Level 1

‎09-03-2025 01:52 PM

Hi, all:

I recently encounter one thing which I do not understand.

My vendor's device yang has the following:
leaf secret-key
{
tailf:info "Secret key string shared for a connection";
type tailf:aes-256-cfb-128-encrypted-string;
mandatory true;
}

I set the secret-key to "Hello World!" in FASTMAP.
But when I do dry-run or actually applyTrans
I see

for dry-run:
+ secret-key $9$VLjeFOYX6YJBjQH68ulnt1SMT6joLrmXfqIz4Bq76Xg=

for applyTrans the trace log
<edit-config>
:
:
<secret-key>$9$VLjeFOYX6YJBjQH68ulnt1SMT6joLrmXfqIz4Bq76Xg=</secret-key>


I checked tailf-common.yang, aes-256-cfb-128-encrypted-string is:
typedef aes-256-cfb-128-encrypted-string {
type string;
description
"The aes-256-cfb-128-encrypted-string works exactly like
des3-cbc-encrypted-string but AES/256bits in CFB mode is used to
encrypt the string. The prefix for encrypted values is '$9$'.";
}

it is a string.

I wonder where the $9$VLjeFOYX6YJBjQH68ulnt1SMT6joLrmXfqIz4Bq76Xg= value come from? How does NSO know to encrypt the plain-text "Hello World!"

THX
sm000x

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎09-04-2025 01:48 AM

Hello @sm000x,

looking at the Cisco NSO Docs: Encrypted Strings you will find:

"By using the NSO built-in encrypted YANG extension types tailf:aes-cfb-128-encrypted-string or tailf:aes-256-cfb-128-encrypted-string, it is possible to store encrypted string values in NSO that can be decrypted."

The YANG type aes-256-cfb-128-encrypted-string signals to NSO that any input value should be encrypted using the AES-256 algorithm, CFB mode, with 128-bit segments.

So when you enter plaintext (like "Hello World!") in the UI or via API, NSO automatically encrypts this value prior to storing or displaying it in configuration. For this purpose NSO uses its internal encryption engine and the master key managed in the system configuration. The encrypted string is then prefixed with $9$ to indicate its encoding type. 

Any output will show this base64-encoded ciphertext, e.g. $9$VLjeFOYX6YJBjQH68ulnt1SMT6joLrmXfqIz4Bq76Xg=, as stored in the configuration for security reasons.

HTH!

View solution in original post

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎09-04-2025 05:01 AM

Hi @sm000x,

NSO knows the master key used for encryption and the $9$ prefix indicates the encoding type.
Therefore, NSO is able to decrypt the base64-encoded ciphertext at any time as needed.
So the cleartext is only processed internally by NSO and any output will always show the encoded ciphertext.

HTH!

View solution in original post

6 Replies 6

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎09-04-2025 01:48 AM

Hello @sm000x,

looking at the Cisco NSO Docs: Encrypted Strings you will find:

"By using the NSO built-in encrypted YANG extension types tailf:aes-cfb-128-encrypted-string or tailf:aes-256-cfb-128-encrypted-string, it is possible to store encrypted string values in NSO that can be decrypted."

The YANG type aes-256-cfb-128-encrypted-string signals to NSO that any input value should be encrypted using the AES-256 algorithm, CFB mode, with 128-bit segments.

So when you enter plaintext (like "Hello World!") in the UI or via API, NSO automatically encrypts this value prior to storing or displaying it in configuration. For this purpose NSO uses its internal encryption engine and the master key managed in the system configuration. The encrypted string is then prefixed with $9$ to indicate its encoding type. 

Any output will show this base64-encoded ciphertext, e.g. $9$VLjeFOYX6YJBjQH68ulnt1SMT6joLrmXfqIz4Bq76Xg=, as stored in the configuration for security reasons.

HTH!

Go to solution
sm000x
Level 1
Level 1
In response to Jens Albrecht

‎09-04-2025 04:17 AM

Hi, Jens:

Thank you so very much for the explanation. This is very helpful.

Thank you

sm000x

0 Helpful

Go to solution
sm000x
Level 1
Level 1

‎09-04-2025 04:49 AM

Hi, Jens:

Thank you so much for your reply. I have one more question, when NSO send the encrypted to configure the network device, will NSO decrypt the $9$ first?

Thank you
sm000x
0 Helpful

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎09-04-2025 05:01 AM

Hi @sm000x,

NSO knows the master key used for encryption and the $9$ prefix indicates the encoding type.
Therefore, NSO is able to decrypt the base64-encoded ciphertext at any time as needed.
So the cleartext is only processed internally by NSO and any output will always show the encoded ciphertext.

HTH!

Go to solution
sm000x
Level 1
Level 1
In response to Jens Albrecht

‎09-04-2025 05:11 AM

Jens:

Thank you for this quick response. It is really helpful.

Thank you again
sm000x

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎09-04-2025 05:43 AM

You're welcome! We are here to help.

0 Helpful
Customers Also Viewed These Support Documents