Encrypting and Decrypting Configuration Files
Encrypting configuration file enables you to store configuration data or sensitive information in a configuration file. Decrypting is disabling the encryption of configuration files on a device and make them readable to all.
Encrypting Configuration Files
To configure an encryption key in EEPROM and determine the encryption process, enter one of the request system set-encryption-key commands in operational mode described in Table 1.
The request system set-encryption-key command is not supported on SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices; therefore, this task does not apply to such devices.
Table 1: request system set-encryption-key Commands
CLI Command | Description |
|---|---|
request system set-encryption-key | Sets the encryption key and enables default configuration file encryption:
|
request system set-encryption-key algorithm des | Sets the encryption key and specifies configuration file encryption by DES. |
request system set-encryption-key unique | Sets the encryption key and enables default configuration file encryption with a unique encryption key that includes the chassis serial number of the device. Configuration files encrypted with the unique key can be decrypted only on the current device. You cannot copy such configuration files to another device and decrypt them. |
request system set-encryption-key des unique | Sets the encryption key and specifies configuration file encryption by DES with a unique encryption key. |
To encrypt configuration files on a device:
- Enter operational mode in the CLI.
- Configure an encryption key in EEPROM and determine the
encryption process; for example, enter the request system set-encryption-key command.user@host> request system set-encryption-keyEnter EEPROM stored encryption key:
- At the prompt, enter the encryption key. The encryption
key must have at least six characters.Enter EEPROM stored encryption key:juniper1Verifying EEPROM stored encryption key:
- At the second prompt, reenter the encryption key.
- Enter configuration mode in the CLI.
- Enable configuration file encryption to take place.[edit]user@host# edit systemuser@host# set encrypt-configuration-files
- Begin the encryption process by committing the configuration.[edit]user@host# commitcommit complete
Decrypting Configuration Files
To disable the encryption of configuration files on a device and make them readable to all:
- Enter operational mode in the CLI.
- Verify your permission to decrypt configuration files
on this device by entering the encryption key for the device.user@host> request system set-encryption-keyEnter EEPROM stored encryption key:Verifying EEPROM stored encryption key:
- At the second prompt, reenter the encryption key.
- Enter configuration mode in the CLI.
- Enable configuration file decryption.[edit]user@host# edit systemuser@host# set no-encrypt-configuration-files
- Begin the decryption process by committing the configuration.[edit]user@host# commitcommit complete
Modifying the Encryption Key
When you modify the encryption key, the configuration files are decrypted and then reencrypted with the new encryption key.
To modify the encryption key:
- Enter operational mode in the CLI.
- Configure a new encryption key in EEPROM and determine
the encryption process; for example, enter the request system
set-encryption-key command.user@host> request system set-encryption-keyEnter EEPROM stored encryption key:
- At the prompt, enter the new encryption key. The encryption
key must have at least six characters.Enter EEPROM stored encryption key:juniperoneVerifying EEPROM stored encryption key:
- At the second prompt, reenter the new encryption key.
Example: Protecting the Junos OS Configuration from Modification or Deletion
This example shows how to use the protect and unprotect commands in the configuration mode to protect and unprotect the CLI configuration.
Requirements
This example uses the following hardware and software components:
An M Series, MX Series, PTX Series, or T Series device
Junos OS 11.2 or later running on all devices
Overview
The Junos OS enables you to protect the device configuration from being modified or deleted by other users. This can be accomplished by using the protect command in the configuration mode of the CLI. Likewise, you can also unprotect a protected configuration by using the unprotect command.
These commands can be used at any level of the configuration hierarchy—a top-level parent hierarchy or a configuration statement or an identifier within the lowest level of the hierarchy.
If a configuration hierarchy is protected, users cannot perform the following activities:
Deleting or modifying a hierarchy or a statement or identifier within the protected hierarchy
Inserting a new configuration statement or an identifier within the protected hierarchy
Renaming a statement or identifier within the protected hierarchy
Copying a configuration into a protected hierarchy
Activating or deactivating statements within a protected hierarchy
Annotating a protected hierarchy
Protecting a Parent-Level Hierarchy
Step-by-Step Procedure
To protect a configuration at the top level of the hierarchy:
Identify the hierarchy that you want to protect and issue the protect command for the hierarchy at the [edit] hierarchy level.
For example, if you want to protect the entire [edit access] hierarchy level, use the following command:
Results
Protects all elements under the parent hierarchy.
If you issue the protect command for a hierarchy that is not used in the configuration, the Junos OS CLI displays the following error message:
Protecting a Child Hierarchy
Step-by-Step Procedure
To protect a child hierarchy contained within a parent hierarchy:
Navigate to the parent container hierarchy. Use the protect command for the hierarchy at the parent level.
For example, if you want to protect the [edit system syslog console] hierarchy level, use the following command at the [edit system syslog] hierarchy level.
Results
Protects all elements under the child hierarchy.
Protecting a Configuration Statement Within a Hierarchy
Step-by-Step Procedure
To protect a configuration statement within a hierarchy level:
Navigate to the hierarchy level containing the statement that you want to protect and issue the protect command for the hierarchy.
For example, if you want to protect the host-name statement under the [edit system] hierarchy level, use the following command:
Results
Protecting a List of Identifiers for a Configuration Statement
Step-by-Step Procedure
Some configuration statements can take multiple values. For example, the address statement at the [edit system login deny-sources] hierarchy level can take a list of hostnames, IPv4 addresses, or IPv6 addresses. Suppose you have the following configuration:
To protect all the addresses for the address statement, use the following command at the [edit] level:
Results
All the addresses ([172.17.28.19 172.17.28.20 172.17.28.21 172.17.28.22]) for the address statement are protected.
Protecting an Individual Member from a Homogenous List
Step-by-Step Procedure
Suppose you have the following configuration:
To protect one or more individual addresses for the name-server statement, issue the following command at the [edit] level:
Results
Addresses 10.1.2.1 and 10.1.2.4 are protected.
Unprotecting a Configuration
Step-by-Step Procedure
Suppose you have the following configuration at the [edit system] hierarchy level:
To unprotect the entire [edit system] hierarchy level, issue the following command at the [edit] level:
Results
The entire system hierarchy level is unprotected.
Verification
Verify That a Hierarchy Is Protected Using the show Command
Purpose
To check that a configuration hierarchy is protected.
Action
In the configuration mode, issue the show command at the [edit] hierarchy level to see all the configuration hierarchies and configuration statements that are protected.
All protected hierarchies or statements are prefixed with a protect: string.
Verify That a Hierarchy Is Protected by Attempting to Modify a Configuration
Purpose
To verify that a configuration is protected by trying to modify the configuration using the activate, copy, insert, rename, and delete commands.
Action
To verify that a configuration is protected:
- Try using the activate, copy, insert, rename, and delete commands for
a top-level hierarchy or a child-level hierarchy or a statement within
the hierarchy.
For a protected hierarchy or statement, the Junos OS displays an appropriate warning that the command has not executed. For example:
protect: system {host-name a;inactive: domain-search [ a b ];} - To verify that the hierarchy is protected, try issuing
the activate command for the domain-search statement:
[edit system]
user@host# activate system domain-searchThe Junos OS CLI displays an appropriate message:
warning: [system] is protected, 'system domain-search' cannot be activated
Verify Usage of the protect Command
Purpose
To view the protect commands used for protecting a configuration.
Action
- Navigate to the required hierarchy.
- Issue the show | display set relative command.
user@host> show | display set relativeset system host-name bigping set system domain-search 10.1.2.1 set system login deny-sources address 172.17.28.19 set system login deny-sources address 172.17.28.173 set system login deny-sources address 172.17.28.0 set system login deny-sources address 174.0.0.0 protect system login deny-sources address protect system
View the Configuration in XML
Purpose
To check if the protected hierarchies or statements
are also displayed in the XML. Protected hierarchies, statements,
or identifiers are displayed with the | display xml attribute in the XML.
Action
To view the configuration in XML:
- Navigate to the hierarchy you want to view.
- Use the show command with the pipe symbol and
option | display xml:
[edit system]
user@host# show | display xml[edit] user@host# show system | display xml <rpc-reply xmlns:junos="http://xml.juniper.net/junos/11.2I0/junos"> <configuration junos:changed-seconds="1291279234" junos:changed-localtime="2017-12-02 00:40:34 PST"> <system protect="protect"> <host-name>bigping</host-name> <domain-search>10.1.2.1</domain-search> <login> <message> \jnpr \tUNAUTHORIZED USE OF THIS ROUTER \tIS STRICTLY PROHIBITED! </message> <class> <name>a</name> <allow-commands>commit-synchronize</allow-commands> <deny-commands>commit</deny-commands> </class> <deny-sources> <address protect="protect">172.17.28.19</address> <address protect="protect">172.17.28.173</address> <address protect="protect">172.17.28.0</address> <address protect="protect">174.0.0.0</address> </deny-sources> </login> <syslog> <archive> </archive> </syslog> </system> </configuration> <cli> <banner>[edit]</banner> </cli> </rpc-reply>Note Loading an XML configuration with the
unprotect="unprotect"tag unprotects an already protected hierarchy. For example, suppose you load the following XML hierarchy:<protocols unprotect="unprotect"> <ospf> <area> <name>0.0.0.0</name> <interface> <name>all</name> </interface> </area> </ospf> </protocols>The [edit protocols] hierarchy becomes unprotected if it is already protected.