Showing results for 
Search instead for 
Did you mean: 

How to a hide or encrypt a password in kron or EEM script when using scp to backup config

paul amaral

Hi, I’m looking for suggestions on the following backup scenario and specifically looking to see if there’s a better way of doing this.

I have a couple of cisco routers, IOS 16.x, that are connected together, via back channel mgt link.  One router is active the other is a cold standby backup router. The backup router gets sent the config from the active router via SCP copy. This copies the active router’s start config over to the backup router’s bootflash. I’m doing this via a kron scheduled job, I know I can do this over EEM scripts with the same result, but my biggest concern is that the username used to copy over the config via SCP has the password visible on the Active router’s config.


I’m using this command to copy over the config to the backup router,

copy start scp://backupuser:xxxxxxx@


I just don’t like how the username’s password is visible. Is there a way to obfuscate this or encrypt the password so it’s not visible on the config? Likewise, is there a better solution than SCP. I know the router (ASR) can have hotstandby config but for various reasons we came to the conclusion that copying the config over and then applying the config as needed is the simplest way to an already complicated network.  BTW I do have, service password-encryption but that only works for what IOS recognizes as a password command.


On the active router I have this


file prompt quiet ! stops the copy command from getting stuck with running inside kron. Will not ask for confirmation

! schedule kron job

kron occurrence ASR-config-to-Backup-ASR at 5:00 Sat recurring

kron policy-list ASR-config-to-Backup-ASR

 cli copy start scp://backupuser:xxxxxxx@

On the destination router I have,


ip scp server enable ! enable scp copies from another device

username backupuser privilege 15 secret 9 xxxxxxxx ! username that is used on active router to copy over config to bootflash.

I also don't like how the username that copies over the config via SCP has to be privilege 15, I looked to see if there is a way to give it only write access to the bootflash but I can't seem to find a way with privilege level commands, not sure if there is a way with aaa authorize. 



Looking forward to a better way of doing this and/or how to not make the password visible.


TIA, Paul

3 Replies 3

VIP Engager VIP Engager
VIP Engager

I do not have a complete answer

but you can configure a user account that has only access to the "copy" command

paul driver
VIP Expert VIP Expert
VIP Expert


The ISR-ASR's should support type 9 encryption which should be applicable

username xxxx privilege 15 algorithm-type scrypt secret xxxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards

yes that works for AAA usernames in kron im using a cli command username:password@host and there doesnt seem to be a way to hide the password. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers