Solved: backup config coantian actual key or encyrpted key ?

mirehteshamali · ‎04-14-2012

Hi ,

if i take a backup of router's config via tftp method , will it get exac security strings like SNMP communities , ipsec pre-shared key , ntp keys , routing protocol adjacency keys , line passwords , passwords associated it with user accounts .

i fear router encrypts passwords when issued service password encryption command . if i get backup's containing encrypted password , after applying backup , the ipsec/hsrp/igp adjacency mail fail .

if i am not clear .....

let say auth key is ABC1234 . After encrypting it became qazzaq (let say ) . Question is if i take backup what it get ABC1234 or qazzaq ? and if i re-apply the back up conig to a router .....if it contains qazzaq adjacency breaks up as actual password is ABC1234 .....

thanks

Peter Paluch · ‎04-15-2012

Hello,

Your question is very valid, and in fact, quite a number of people are uncertain about the password handling.

To my best knowledge, IOS-based Cisco routers support 4 types of password encryption or protection:

Type 0: no encryption nor hashing (i.e. plain-text)
Type 5: MD5 hashing (irreversible)
Type 6: AES encryption (reversible; used only for IPsec keys)
Type 7: XOR-based encryption (reversible and weak; principially a polyalphabetic substitution with the entire algorithm including ecryption key being very well known)

What kind of protection was used on a password in a configuration command is indicated in the particular command by a number preceding the password field describing the protection type, e.g.:

username peterp password 0 MyPassword

Here, the number 0 signifies no encryption. After entering the service password-encryption, the command is automatically modified to:

username peterp password 7 022B1D6B0A151C36435C0D

Notice that now, the protection type has automatically been changed from 0 to 7, and the password is encrypted. This allows the router to know that the string 022B1D6B0A151C36435C0D is not the actual password to be expected from the user, but rather an encrypted version of that password using the Type 7 encryption.

If using commands that protect passwords using MD5 hashing (making the decryption impossible as the hashing is an irreversible operation), you will see, for example:

enable secret 5 $1$GGVW$vp33xKWhk6itcAPQaJKfV/

Here, note the number 5 indicating that the following string is an MD5 hash of the original password.

If the password encryption aes and key config-key have been configured, the IPsec shared passwords can be AES-encrypted. Following is the example of how the line would look like:

crypto isakmp key 6 UeOZQHfWLDLVgDf[FaDLiUIZDY_TZfDBe address 1.1.1.1

Note the number 6 indicating that the AES encryption is being used to protect this particular password.

Now, to answer your question. If you create a backup of your configuration, the backup will contain all commands exactly as visible in the show running-config output, i.e. passwords may be encrypted, hashed, etc. However, as I indicated earlier, each such command contains a clear indication whether the password is already encrypted or hashed. Therefore you do not need to take any special precautions when you restore the backup configuration because each command with a password already correctly indicates whether the password is protected and in what way. You simply restore the backup config and all will be just fine.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎04-15-2012

Hello,

Your question is very valid, and in fact, quite a number of people are uncertain about the password handling.

To my best knowledge, IOS-based Cisco routers support 4 types of password encryption or protection:

Type 0: no encryption nor hashing (i.e. plain-text)
Type 5: MD5 hashing (irreversible)
Type 6: AES encryption (reversible; used only for IPsec keys)
Type 7: XOR-based encryption (reversible and weak; principially a polyalphabetic substitution with the entire algorithm including ecryption key being very well known)

What kind of protection was used on a password in a configuration command is indicated in the particular command by a number preceding the password field describing the protection type, e.g.:

username peterp password 0 MyPassword

Here, the number 0 signifies no encryption. After entering the service password-encryption, the command is automatically modified to:

username peterp password 7 022B1D6B0A151C36435C0D

Notice that now, the protection type has automatically been changed from 0 to 7, and the password is encrypted. This allows the router to know that the string 022B1D6B0A151C36435C0D is not the actual password to be expected from the user, but rather an encrypted version of that password using the Type 7 encryption.

If using commands that protect passwords using MD5 hashing (making the decryption impossible as the hashing is an irreversible operation), you will see, for example:

enable secret 5 $1$GGVW$vp33xKWhk6itcAPQaJKfV/

Here, note the number 5 indicating that the following string is an MD5 hash of the original password.

If the password encryption aes and key config-key have been configured, the IPsec shared passwords can be AES-encrypted. Following is the example of how the line would look like:

crypto isakmp key 6 UeOZQHfWLDLVgDf[FaDLiUIZDY_TZfDBe address 1.1.1.1

Note the number 6 indicating that the AES encryption is being used to protect this particular password.

Now, to answer your question. If you create a backup of your configuration, the backup will contain all commands exactly as visible in the show running-config output, i.e. passwords may be encrypted, hashed, etc. However, as I indicated earlier, each such command contains a clear indication whether the password is already encrypted or hashed. Therefore you do not need to take any special precautions when you restore the backup configuration because each command with a password already correctly indicates whether the password is protected and in what way. You simply restore the backup config and all will be just fine.

Best regards,

Peter