Master Key

Manual Chapter : Master Key

Applies To:

Show Versions

ARX

6.3.0

The master key encrypts and decrypts all of the Critical-Security Parameters (CSPs), such as passwords, on the ARX. You can use the master key in conjunction with the show running-config and show global-config commands to backup and restore the full switch configuration, including passwords.

show master-key

Purpose

The ARX supports a single master key that encrypts and decrypts all of its CSPs (such as passwords). You generate the master key as part of the switchs initial boot process; use the show master-key command to get an encrypted copy of the master key.

This command prompts you for two passwords:

System Password is a password entered at initial-boot time. It is 12-32 characters long. This validates that you have permission to access the master key.

Wrapping Password is set with this command. The security software uses this to encrypt (and later decrypt) the master-key string.

Enter 12-32 characters. At least one character in this password must be a number (0-9) or a symbol (!, @, #, $, and so on).

Save this password: you will need it to decrypt the master key later, on the secondary switch.

This command outputs a base64-encoded string that is the encrypted master key. Save this string and the wrapping password that you set in the command.

You can use these pieces of information to duplicate the master key later on a redundant switch; both switches in a redundant pair must share the same master key. If you set up two redundant pairs in a disaster-recovery configuration, where one pair is an active cluster (see cluster-name) and the other is a backup cluster, all four switches must share the same master key.

For maximum security, the encrypted master key and its wrapping password must be saved separately.

Guidelines: Resetting the Master Key

There are occasions where you may need to reset your master key. For example, your chassis may be designated for use in a backup cluster for a disaster-recovery setup, and may need the same master key as the switches in the active cluster. If the master key was not copied during installation, you must reset the switch to its factory defaults to change it.

You must clear your entire configuration to reset your master key. You can restore the running-config (network parameters), but the global-config (storage parameters) should remain clear for a backup switch. Follow these steps to reset a switch back to its factory defaults and reset its master key:

Use the copy running-config command to copy the entire running configuration (network-level parameters, not storage parameters) into a file on the chassis.

The ARX should not be running any storage services if it is designated as a backup; a backup is designed to take over services from the active switch or cluster after a failover. Use the remove service command to clear each service that is currently running, if any. This cleanly de-couples the ARX software from all back-end filers.

Connect a serial cable to the Console port. Only the Console port is available after you take the next step.

Use delete startup-config and delete configs boot-config to delete the entire configuration, and then run the reload command. This resets the machine to its factory defaults, disables all management-IP interfaces, and reruns the initial-boot script at the Console port.

Use the initial-boot script to reset the master key. For detailed instructions on the initial-boot process, refer to the hardware-installation guide for your chassis.

Invoke the run command on the running-config file that you saved onto the chassis earlier. This re-establishes all of your network parameters.

Sample

bstnA(cfg)# show master-key

System Password: Sup3r$ecretpw

Wrapping Password: An0ther$ecretpw

Validate Wrapping Password: An0ther$ecretpw

Encrypted master key:

2oftVCwAAAAgAAAApwazSRFd2ww/H1pi7R7JMDZ9SoIg4WGA/XsZP+HcXjsIAAAADDRbMCxE/bc=

bstnA(cfg)#

Related Commands