Encrypting Sensitive Data

The Virtual Service Router configuration sometimes has to be stored outside of the device.

To prevent the wrong people from accessing sensitive data in this case, Virtual Service Router offers to encrypt predefined leaves identified as sensitive contained in the configuration and state by using a master key.

This section explains how to manage and use the master key.

Master key management

The master key is used to encrypt the secret leaves, using the aes-256-cbc algorithm with a sha256 digest.

Let’s cover its lifecycle.

Note

Only one master key can be active at a time.

Adding a master key

The following example adds two master keys, key1 and key2:

vsr> cmd master-key add name key1 key
Enter value for key> asecurekey
Confirm value for key> asecurekey
vsr> cmd master-key add name key2 key averylongstringwithsymbols^@_

The key can be entered directly on the command line. If not, the user will be prompted so that the key is not displayed on screen or kept in history.

Note

The master key is not saved in the configuration and is no longer visible after being added.

Activating a master key

The secret leaves are not encrypted until a master key is activated. To activate the key1 master key:

vsr> cmd master-key activate name key1

Listing the master keys

The key1 master key is active, key2 is inactive:

vsr> show master-key
show-master-key
    master-key key1
        active
        ..
    master-key key2
        ..
    ..

Deleting a master key

When a master key is not used anymore (i.e. not active), it can be removed using:

vsr> cmd master-key delete name key2

Note

• It is not possible to delete the active master key.

Deactivating the active master key

To deactivate the currently active master key:

vsr> cmd master-key deactivate

Note

• It is possible to deactivate the active master key. However, the already encrypted data will not be changed when doing so. Some encrypted values in the configuration will not be valid anymore.

• Also changing the active master key will not re-encrypt the secret leaves on-the-fly. The steps required to re-encrypt the entire configuration are discussed later in this documentation: Updating a master key and the configuration.

Configuring secret leaves

When a master key is active, the secret leaves can be set using clear text data. The clear text data is encrypted on-the-fly after the commit command and they appear encoded after the exit command. The encrypted data contains a 6wind-encrypted- prefix and base64 string:

vsr running config# / system aaa radius 1234 address 1.0.0.1 secret my-secret
vsr running config# show config / system aaa radius 1234 secret
secret 6wind-encrypted-a2V5MTtTYWx0ZWRfX0qqHbckHI53jU3B5mN7ZLrhTptHL72mhA==
vsr running config# commit
Configuration commited.
vsr running config# exit
vsr> show config / system aaa radius 1234 secret
secret 6wind-encrypted-a2V5MTtTYWx0ZWRfX0qqHbckHI53jU3B5mN7ZLrhTptHL72mhA==

Note

• The secret leaves can be set using already encrypted data.

Use cases

Encrypting a configuration

The encrypt command uses the given master key to encrypt the source configuration. It writes the result to the destination. In the following example, add a new master key called key3. Then the running configuration is encrypted to a file called encrypted using the master key key3:

vsr> cmd master-key add name key3 key anotherkey3
vsr> show config / system aaa radius 1234 secret
secret my-secret
vsr> encrypt master-key-name key3 running file encrypted
vsr> show config file encrypted / system aaa radius 1234 secret
secret 6wind-encrypted-a2V5MztTYWx0ZWRfX/o9vEjLZHVaDYC4dgztMCMzWi+0EeErLw==

Note

• The source configuration must not contain encrypted leaves.

Loading an already encrypted configuration

In this example, the file encrypted is encrypted key3. The master key key3 must be added and active before loading the configuration file:

vsr running config# cmd master-key activate name key3
vsr running config# show config file encrypted / system aaa radius 1234 secret
secret 6wind-encrypted-a2V5MztTYWx0ZWRfX/o9vEjLZHVaDYC4dgztMCMzWi+0EeErLw==
vsr running config# load file encrypted
vsr running config# commit
vsr running config# show config / system aaa radius 1234 secret
secret 6wind-encrypted-a2V5MztTYWx0ZWRfX/o9vEjLZHVaDYC4dgztMCMzWi+0EeErLw==

Decrypting a configuration

The decrypt command uses the given master key to decrypt the source configuration and write the clear text data to the destination. In the following example, the running configuration is encrypted with key3. Decrypt it to the file called decrypted:

vsr> show config
system
    aaa
        radius 1234
            secret 6wind-encrypted-a2V5MztTYWx0ZWRfX/o9vEjLZHVaDYC4dgztMCMzWi+0EeErLw==
vsr> show state
system
    aaa
        radius 1234
            secret 6wind-encrypted-a2V5MztTYWx0ZWRfX779vAytiMqcwm20aB3xxEv9OKzPzx/ASg==
vsr> decrypt master-key-name key3 running file decrypted
vsr> show config file decrypted / system aaa radius 1234 secret
secret my-secret

Deactivate the master key and load the configuration from the file. The running configuration is now decrypted:

vsr running config# cmd master-key-deactivate
vsr running config# load file decrypted
vsr running config# commit
vsr running config# show config / system aaa radius 1234 secret
secret secret

Loading and encrypting a configuration

In this example, the master key key3 is added and activated. Then the source configuration is encrypted when it is loaded from the decrypted file:

vsr running config# cmd master-key activate name key3
vsr running config# load file decrypted
vsr running config# commit
vsr running config# exit
vsr> show config / system aaa radius 1234 secret
secret 6wind-encrypted-a2V5MztTYWx0ZWRfX/o9vEjLZHVaDYC4dgztMCMzWi+0EeErLw==

Decrypting a single value

This example shows how to decrypt a single value:

vsr> cmd decrypt-value master-key-name key3 value 6wind-encrypted-a2V5MztTYWx0ZWRfX/o9vEjLZHVaDYC4dgztMCMzWi+0EeErLw==
decrypt-value
   value my-secret
   ..

Encrypting a single value

The following example shows how to encrypt a single value. The encrypted result can be used to set a leaf in the configuration:

vsr> cmd encrypt-value master-key-name key3 value my-secret
encrypt-value
   value 6wind-encrypted-a2V5MztTYWx0ZWRfX3DN7Yfl/8ZOI5VneyFGLoIJ3nOrGHuu6Q==
   ..
vsr> edit running
vsr running config# / system aaa radius 1234 address 1.0.0.1 secret 6wind-encrypted-a2V5MztTYWx0ZWRfX3DN7Yfl/8ZOI5VneyFGLoIJ3nOrGHuu6Q==
vsr running config# commit

Updating a master key and the configuration

If the configuration is encrypted with key1 and the master key to be used is now key2, the configuration must be decrypted manually with key1. Then key2 must be activated. Finally load the file decrypted so that the secret leaves are encrypted on the fly.

vsr> decrypt master-key-name key1 running file decrypted
vsr> edit running
vsr running config# cmd master-key activate master-key-name key2
vsr running config# load file decrypted
vsr running config# commit

Activating the master key after secret leaves have been set

It is necessary to activate the master key before setting secret leaves. If the master key is activated after a secret leaf has been set, the conf and the state will differ and the config would not be encrypted. An encrypt and a load commands must be executed to encrypt and apply the configuration.

vsr running config# cmd master-key deactivate
vsr running config# / system aaa radius 1234 address 1.0.0.1 secret my-secret
vsr running config# commit
Configuration commited.
vsr running config# cmd master-key activate name key1
vsr running config# show config / system aaa radius 1234 secret
secret my-secret
vsr running config# show state / system aaa radius 1234 secret
secret 6wind-encrypted-dG90b3RvdG87U2FsdGVkX1/ck6u+5dnrtsZgoBxzT5guiWmIhLlNj9o=
vsr running config# cmd encrypt master-key-name key1 running file encrypted
vsr running config# load file encrypted
vsr running config# commit
Configuration commited.
vsr running config# show config / system aaa radius 1234 secret
secret 6wind-encrypted-dG90b3RvdG87U2FsdGVkX1+tDt8dCkCD1109cJdLlL3wGvbL8hK2ZC0=