Zeroizing the System
Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered—or reentered—while the device is in FIPS mode.
For FIPS 140-2 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.
As Crypto Officer, you run the request system zeroize command to remove all user-created files from a device and replace the user data with zeros. This command completely erases all configuration information on the Routing Engines, including all rollback configuration files and plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec.
Zeroization is required on
MX104 device before you upgrade in FIPS mode.
To zeroize your device:
- From the CLI, enter
root@router> request system zeroize
warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (no) yes re0:
- To initiate the zeroization process, type yes at the prompt:
Erase all data, including configuration and log files? [yes, no] (no)
yesre0: -------------------------------------------------------------------------- warning: zeroizing re0 ... ...
The entire operation can take considerable time depending on the size of the media, but all critical security parameters (CSPs) are removed within a few seconds. The physical environment must remain secure until the zeroization process is complete.