Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13687
Views
5
Helpful
0
Comments

How to configure Master Passphrase on ASA

Parminder Sian
Level 1
Level 1

‎10-13-2011 11:59 PM - edited ‎03-08-2019 06:43 PM

 

 

Introduction

 

The master passphrase feature allows you to securely store plain text  passwords in encrypted format. The master passphrase provides a key that  is used to universally encrypt or mask all passwords, without changing  any functionality. Passwords that take advantage of this feature  include:

 

  • OSPF
  • EIGRP
  • VPN load balancing
  • VPN (remote access and site-to-site)
  • Failover
  • AAA servers
  • Logging
  • Shared licenses

 

Prerequisites

 

  • If failover is enabled but no failover shared key  is set, then changing the master passphrase displays an error message,  informing you that a failover shared key must be entered to protect the  master passphrase changes from being sent as plain text.
  • This procedure will only be accepted in a secure session, for example by console, SSH or ASDM via HTTPS.

 

 

Configuration:

 

Setting up new key

 

hostname(config)# key config-key password-encryption iattacku2
 

 

Setting up new key interactively

 

hostname (config)# key config-key password-encryption

New key: try2attack

Confirm key:try2attack

 

Changing the old key

 

Hostname (config)# key config-key password-encryption try2attack

Old key: iattacku2

 

 

Changing the old key interactively

 

hostname (config)# key config-key password-encryption

Old key: iattacku2

New key: try2attack 

Confirm key: try2attack

 

Disabling the Master Passphrase

 

Note:You must know the current master passphrase to disable it.This procedure will only be accepted in a secure session, for example by console, SSH or ASDM via HTTPS.

 

hostname(config)# no key config-key  password-encryption

 

Warning! You have chosen to revert the encrypted passwords to plain text. This

operation will expose passwords in the configuration and therefore exercise caution

while viewing, storing, and copying configuration.

 

 

Old key: try2attack

 

hostname(config)# write memory

 

Note: If the master passphrase is lost or unknown, it could be removed by using the write erase command followed by the reload command. This removes the master key along with the configuration containing the encrypted passwords.

 

 

 

 

 

Related  Information

 

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/basic.html#wp1087850

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents