Encrypting and Decrypting Configuration Files
Encrypting configuration file enables you to store configuration data or sensitive information in a configuration file. Decrypting is disabling the encryption of configuration files on a device and make them readable to all.
Encryption features are not available on all Juniper Networks devices. If so, the Junos OS CLI encryption-related commands described here may be hidden or not function. See your hardware documentation for details.
Encrypting Configuration Files
To configure an encryption key in EEPROM and determine the encryption process, enter one of the request system set-encryption-key commands in operational mode described in Table 1.
Table 1: request system set-encryption-key Commands
CLI Command | Description |
|---|---|
request system set-encryption-key | Sets the encryption key and enables default configuration file encryption:
|
request system set-encryption-key algorithm des | Sets the encryption key and specifies configuration file encryption by DES. |
request system set-encryption-key unique | Sets the encryption key and enables default configuration file encryption with a unique encryption key that includes the chassis serial number of the device. Configuration files encrypted with the unique key can be decrypted only on the current device. You cannot copy such configuration files to another device and decrypt them. |
request system set-encryption-key des unique | Sets the encryption key and specifies configuration file encryption by DES with a unique encryption key. |
To encrypt configuration files on a device:
- Enter operational mode in the CLI.
- Configure an encryption key in EEPROM and determine the
encryption process; for example, enter the request system set-encryption-key command.user@host> request system set-encryption-keyEnter EEPROM stored encryption key:
- At the prompt, enter the encryption key. The encryption
key must have at least six characters.Enter EEPROM stored encryption key:juniper1Verifying EEPROM stored encryption key:
- At the second prompt, reenter the encryption key.
- Enter configuration mode in the CLI.
- Enable configuration file encryption to take place.[edit]user@host# edit systemuser@host# set encrypt-configuration-files
- Begin the encryption process by committing the configuration.[edit]user@host# commitcommit complete
Decrypting Configuration Files
To disable the encryption of configuration files on a device and make them readable to all:
- Enter operational mode in the CLI.
- Verify your permission to decrypt configuration files
on this device by entering the encryption key for the device.user@host> request system set-encryption-keyEnter EEPROM stored encryption key:Verifying EEPROM stored encryption key:
- At the second prompt, reenter the encryption key.
- Enter configuration mode in the CLI.
- Enable configuration file decryption.[edit]user@host# edit systemuser@host# set no-encrypt-configuration-files
- Begin the decryption process by committing the configuration.[edit]user@host# commitcommit complete
Modifying the Encryption Key
When you modify the encryption key, the configuration files are decrypted and then reencrypted with the new encryption key.
To modify the encryption key:
- Enter operational mode in the CLI.
- Configure a new encryption key in EEPROM and determine
the encryption process; for example, enter the request system
set-encryption-key command.user@host> request system set-encryption-keyEnter EEPROM stored encryption key:
- At the prompt, enter the new encryption key. The encryption
key must have at least six characters.Enter EEPROM stored encryption key:juniperoneVerifying EEPROM stored encryption key:
- At the second prompt, reenter the new encryption key.