Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Zeroization to Clear System Data


Zeroization completely erases all configuration information on the Routing Engines, including all plain-text passwords, secrets, and private keys for SSH, local encryption, and local authentication.

The Security Administrator initiates the zeroization process by entering the request system zeroize operational command for MX104 devices from the CLI after enabling FIPS mode. Use of this command is restricted to the Security Administrator. (To zeroize the system before enabling FIPS mode, use the request system zeroize command to completely wipe-out older CSPs and scrub memory.)

In reference to cryptographic key destruction, TOE does not support delayed key destruction.


Perform system zeroization with care. After the zeroization process is complete, no data is left on the Routing Engine. The device is returned to the factory default state, without any configured users or configuration files.

Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.

Why Zeroize?

Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered—or reentered—while the device is in FIPS mode.

For FIPS 140-2 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.

When to Zeroize?

As Security Administrator, perform zeroization in the following situations:

  • Before enabling FIPS mode of operation: To prepare your device for operation as a FIPS cryptographic module, perform zeroization before enabling FIPS mode and before FIPS operation.

  • Before disabling FIPS mode of operation: To begin repurposing your device for non-FIPS operation, perform zeroization before disabling FIPS mode on the device.


    Juniper Networks does not support installing non-FIPS software in a FIPS environment, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.

Related Documentation