Encrypted secrets

Introduction

The Encrypted Secrets feature ensures that no passwords/secrets are stored in plain text within the WeOS configuration, when enabled.

Encryption sources

The secrets are encrypted using the AES-256 encryption algorithm and the encryption key depends on the chosen encryption source:

  • portable: The same encryption key for all devices, useful for sharing configurations across multiple systems
  • hwuid: Device-specific encryption key, enhancing security for individual devices (not portable)
  • password: Password-derived encryption key, enabling portability if the same password is used on all devices

Configuration

The encryption source can be set using the encrypt-secrets command under the configure system menu. The command takes one argument, the encryption source.

To use the password encryption source, first set the password using the encrypt-password command in the admin-exec context.

example:/#> encrypt-password s3cretPassword
example:/#> configure
example:/config/#> system
example:/config/system#> encrypt-secrets password
example:/config/system#> leave
Applying configuration.
Configuration activated.
Remember "copy run start" to save to flash (NVRAM).
example:/#> copy run start

In this case the password s3cretPassword is used to derive the encryption key since the password encryption source is chosen.

Changing the encryption password

Steps to safely change the password:

  1. Change the password using the encrypt-password command in admin-exec context
  2. Save the updated running configuration to the startup configuration using the cp running startup command

Warning

Changing the encryption password can cause encrypted secrets in the startup configuration to become inaccessible. To avoid this, ensure the running configuration is saved.

Note

This problem only occurs when encryption source is set to password and the password is changed.

Moving configuration between devices

If the encryption source is set to hwuid, the encrypted secrets are not portable. This means that the configuration file cannot be moved to another device. The encrypted secrets will be unreadable on another device.

To move configurations between devices, export them using the portable encryption source. For added security, the source could be changed to hwuid after loading the configuration on the new device.

The middle ground between portability and protection from information disclosure could be to use the provided password option.

Example secrets

  • IPsec: PSK secret
  • RIP: authentication password
  • OSPF: authentication password
  • DDNS: password
  • SNMP: community strings
  • RADIUS: shared secret
  • TACACS+: shared secret
  • SCEP: challenge password

Verify that the secrets are encrypted by looking at the configuration. (show running-config). The encrypted secrets are displayed as base64 encoded strings.

Note

The encryption password is set independently of the encryption source and not saved in the configuration file, instead it is stored in the device’s secure storage.

[no] encrypt-secrets <source>

Select encryption source.

no
Store secrets in plain text.
hwuid
Use device unique encryption key. Not portable.
password
Use password to derive encryption key.
portable
Use the same encryption key for all devices (derived from firmware).