Encrypting and Decrypting Configuration Files

Configuration files contain sensitive information such as IP addresses. By default, the device stores configuration files in unencrypted format on an external CompactFlash card. This storage method is considered a security risk because the CompactFlash card can easily be removed from the device. To prevent unauthorized users from viewing sensitive information in configuration files, you can encrypt them.

If your device runs the Canada and U.S. version of Junos OS, the configuration files can be encrypted with the Advanced Encryption Standard (AES) or Data Encryption Standard (DES) encryption algorithms. If your device runs the international version of Junos OS, the files can be encrypted only with DES.

To prevent unauthorized access, the encryption key is stored in the device's EEPROM. You can copy the encrypted configuration files to another device and decrypt them if that device has the same encryption key. To prevent encrypted configuration files from being copied to another device and decrypted, you can set a unique encryption key that contains the chassis serial number of your device. Configuration files that are encrypted with a unique encryption key cannot be decrypted on any other device.

The encryption process encrypts only the configuration files in the /config and /var/db/config directories. Files in subdirectories under these directories are not encrypted. The filenames of encrypted configuration files have the extension .gz.jc—for example, juniper.conf.gz.jc.

Note: You must have superuser privileges to encrypt or decrypt configuration files.

This section contains the following topics:

Encrypting Configuration Files
Decrypting Configuration Files
Modifying the Encryption Key

Encrypting Configuration Files

To encrypt configuration files on a device:

Enter operational mode in the CLI.

To configure an encryption key in EEPROM and determine the encryption process, enter one of the request system set-encryption-key commands described in Table 143.

Table 143: request system set-encryption-key Commands

CLI Command	Description
request system set-encryption-key	Sets the encryption key and enables default configuration file encryption as follows: AES encryption for the Canada and U.S. version of Junos OS DES encryption for the international version of Junos OS
request system set-encryption-key algorithm des	Sets the encryption key and specifies configuration file encryption by DES.
request system set-encryption-key unique	Sets the encryption key and enables default configuration file encryption with a unique encryption key that includes the chassis serial number of the device. Configuration files encrypted with the unique key can be decrypted only on the current device. You cannot copy such configuration files to another device and decrypt them.
request system set-encryption-key des unique	Sets the encryption key and specifies configuration file encryption by DES with a unique encryption key.

For example:

user@host> request system set-encryption-key

Enter EEPROM stored encryption key:

At the prompt, enter the encryption key. The encryption key must have at least 6 characters.
```
Enter EEPROM stored encryption key:juniper1
```
```
Verifying EEPROM stored encryption key:
```
At the second prompt, reenter the encryption key.
Enter configuration mode in the CLI.
To enable configuration file encryption to take place, enter the following commands:

user@host# edit system

user@host# set encrypt-configuration-files
To begin the encryption process, commit the configuration.
user@host# commit
```
commit complete
```

Decrypting Configuration Files

To disable the encryption of configuration files on a device and make them readable to all:

Enter operational mode in the CLI.
To verify your permission to decrypt configuration files on this device, enter the following command and the encryption key for the device:
user@host> request system set-encryption-key
```
Enter EEPROM stored encryption key:
```
```
Verifying EEPROM stored encryption key:
```
At the second prompt, reenter the encryption key.
Enter configuration mode in the CLI.
To enable configuration file decryption, enter the following commands:

user@host# edit system

user@host# set no-encrypt-configuration-files
To begin the decryption process, commit the configuration.
user@host# commit
```
commit complete
```

Modifying the Encryption Key

When you modify the encryption key, the configuration files are decrypted and then reencrypted with the new encryption key.

To modify the encryption key:

Enter operational mode in the CLI.
To configure a new encryption key in EEPROM and determine the encryption process, enter one of the request system set-encryption-key commands described in Table 143. For example:
user@host> request system set-encryption-key
```
Enter EEPROM stored encryption key:
```
At the prompt, enter the new encryption key. The encryption key must have at least 6 characters.
```
Enter EEPROM stored encryption key:juniperone
```
```
Verifying EEPROM stored encryption key:
```
At the second prompt, reenter the new encryption key.