Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Encrypting and Decrypting Configuration Files

 

Encrypting configuration file enables you to store configuration data or sensitive information in a configuration file. Decrypting is disabling the encryption of configuration files on a device and make them readable to all. For more information, see the following topics:

Encrypting Configuration Files

To configure an encryption key in EEPROM and determine the encryption process, enter one of the request system set-encryption-key commands in operational mode described in Table 1.

Note

The request system set-encryption-key command is not supported on SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800 devices; therefore, this task does not apply to such devices.

Table 1: request system set-encryption-key Commands

CLI Command

Description

request system set-encryption-key

Sets the encryption key and enables default configuration file encryption:

  • AES encryption for the Canada and U.S. version of Junos OS

  • DES encryption for the international version of Junos OS

request system set-encryption-key algorithm des

Sets the encryption key and specifies configuration file encryption by DES.

request system set-encryption-key unique

Sets the encryption key and enables default configuration file encryption with a unique encryption key that includes the chassis serial number of the device.

Configuration files encrypted with the unique key can be decrypted only on the current device. You cannot copy such configuration files to another device and decrypt them.

request system set-encryption-key des unique

Sets the encryption key and specifies configuration file encryption by DES with a unique encryption key.

To encrypt configuration files on a device:

  1. Enter operational mode in the CLI.
  2. Configure an encryption key in EEPROM and determine the encryption process; for example, enter the request system set-encryption-key command.
  3. At the prompt, enter the encryption key. The encryption key must have at least six characters.
  4. At the second prompt, reenter the encryption key.
  5. Enter configuration mode in the CLI.
  6. Enable configuration file encryption to take place.
  7. Begin the encryption process by committing the configuration.

Decrypting Configuration Files

To disable the encryption of configuration files on a device and make them readable to all:

  1. Enter operational mode in the CLI.
  2. Verify your permission to decrypt configuration files on this device by entering the encryption key for the device.
  3. At the second prompt, reenter the encryption key.
  4. Enter configuration mode in the CLI.
  5. Enable configuration file decryption.
  6. Begin the decryption process by committing the configuration.

Modifying the Encryption Key

When you modify the encryption key, the configuration files are decrypted and then reencrypted with the new encryption key.

To modify the encryption key:

  1. Enter operational mode in the CLI.
  2. Configure a new encryption key in EEPROM and determine the encryption process; for example, enter the request system set-encryption-key command.
  3. At the prompt, enter the new encryption key. The encryption key must have at least six characters.
  4. At the second prompt, reenter the new encryption key.

Example: Protecting the Junos OS Configuration from Modification or Deletion

This example shows how to use the protect and unprotect commands in the configuration mode to protect and unprotect the CLI configuration.

Requirements

This example uses the following hardware and software components:

  • A M Series, MX Series, PTX Series, or T Series device

  • Junos OS 11.2 or later running on all devices

Overview

The Junos OS enables you to protect the device configuration from being modified or deleted by other users. This can be accomplished by using the protect command in the configuration mode of the CLI. Likewise, you can also unprotect a protected configuration by using the unprotect command.

These commands can be used at any level of the configuration hierarchy—a top-level parent hierarchy or a configuration statement or an identifier within the lowest level of the hierarchy.

If a configuration hierarchy is protected, users cannot perform the following activities:

  • Deleting or modifying a hierarchy or a statement or identifier within the protected hierarchy

  • Inserting a new configuration statement or an identifier within the protected hierarchy

  • Renaming a statement or identifier within the protected hierarchy

  • Copying a configuration into a protected hierarchy

  • Activating or deactivating statements within a protected hierarchy

  • Annotating a protected hierarchy

Protecting a Parent-Level Hierarchy

Step-by-Step Procedure

To protect a configuration at the top level of the hierarchy:

  • Identify the hierarchy that you want to protect and issue the protect command for the hierarchy at the [edit] hierarchy level.

    For example, if you want to protect the entire [edit access] hierarchy level, issue the following command:

Results

Protects all elements under the parent hierarchy.

Note
  • If you issue the protect command for a hierarchy that is not used in the configuration, the Junos OS CLI displays the following error message:

Protecting a Child Hierarchy

Step-by-Step Procedure

To protect a child hierarchy contained within a parent hierarchy:

  • Navigate to the parent container hierarchy. Use the protect command for the hierarchy at the parent level.

    For example, if you want to protect the [edit system syslog console] hierarchy level, use the following command at the [edit system syslog] hierarchy level.

Results

Protects all elements under the child hierarchy.

Protecting a Configuration Statement Within a Hierarchy

Step-by-Step Procedure

To protect a configuration statement within a hierarchy level:

  • Navigate to the hierarchy level containing the statement that you want to protect and issue the protect command for the hierarchy.

    For example, if you want to protect the host-name statement under the [edit system] hierarchy level, issue the following command:

Results

Protecting a List of Identifiers for a Configuration Statement

Step-by-Step Procedure

Some configuration statements can take multiple values. For example, the address statement at the [edit system login deny-sources] hierarchy level can take a list of hostnames, IPv4 addresses, or IPv6 addresses. Suppose you have the following configuration:

  • To protect all the addresses for the address statement, issue the following command at the [edit] level:

Results

All the addresses ([172.17.28.19 172.17.28.20 172.17.28.21 172.17.28.22]) for the address statement are protected.

Protecting an Individual Member from a Homogenous List

Step-by-Step Procedure

Suppose you have the following configuration:

  • To protect one or more individual addresses for the name-server statement, issue the following command at the [edit] level:

Results

Addresses 10.1.2.1 and 10.1.2.4 are protected.

Unprotecting a Configuration

Step-by-Step Procedure

Suppose you have the following configuration at the [edit system] hierarchy level:

  • To unprotect the entire [edit system] hierarchy level, issue the following command at the [edit] level:

Results

The entire system hierarchy level is unprotected.

Verification

Verify That a Hierarchy Is Protected Using the show Command

Purpose

To check that a configuration hierarchy is protected.

Action

In the configuration mode, issue the show command at the [edit] hierarchy level to see all the configuration hierarchies and configuration statements that are protected.

Note

All protected hierarchies or statements are prefixed with a protect: string.

Verify That a Hierarchy Is Protected by Attempting to Modify a Configuration

Purpose

To verify that a configuration is protected by trying to modify the configuration using the activate, copy, insert, rename, and delete commands.

Action

To verify that a configuration is protected:

  1. Try using the activate, copy, insert, rename, and delete commands for a top-level hierarchy or a child-level hierarchy or a statement within the hierarchy.

    For a protected hierarchy or statement, the Junos OS displays an appropriate warning that the command has not executed. For example:

  2. To verify that the hierarchy is protected, try issuing the activate command for the domain-search statement:

    [edit system]

    user@host# activate system domain-search

    The Junos OS CLI displays an appropriate message:

Verify Usage of the protect Command

Purpose

To view the protect commands used for protecting a configuration.

Action

  1. Navigate to the required hierarchy.
  2. Issue the show | display set relative command.
user@host> show | display set relative

View the Configuration in XML

Purpose

To check if the protected hierarchies or statements are also displayed in the XML. Protected hierarchies, statements, or identifiers are displayed with the | display xml attribute in the XML.

Action

To view the configuration in XML:

  1. Navigate to the hierarchy you want to view and issue the show command with the pipe symbol and option | display xml:

    [edit system]

    user@host# show | display xml
    Note

    Loading an XML configuration with the unprotect="unprotect" tag unprotects an already protected hierarchy. For example, suppose you load the following XML hierarchy:

    The [edit protocols] hierarchy becomes unprotected if it is already protected.