Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Encrypt and Decrypt Configuration Files

You store configuration data and sensitive network information in configuration files. Encrypting configuration files enables you to secure the information they store. Decrypting means disabling the encryption of configuration files on a device and making the files readable to all.

Note:

Encryption features are not available on all Juniper Networks devices. If these features are not available on one or more of your devices, the Junos OS CLI encryption-related commands described in this topic may be hidden or may not function. See your hardware documentation for details.

Encrypt Configuration Files

To encrypt configuration files on a Juniper Networks device, you need an encryption key. You configure an encryption key in EEPROM and determine which encryption process is appropriate for your network.

To configure an encryption key, select the most appropriate request system set-encryption-key command in operational mode, as described in the following table.

Table 1: The request system set-encryption-key CLI Commands

CLI Command

Description

request system set-encryption-key

Sets the encryption key and enables default configuration file encryption:

  • AES encryption for the Canada and U.S. version of the operating system

  • DES encryption for the international version of the operating system

request system set-encryption-key algorithm des

Sets the encryption key and specifies configuration file encryption by DES.

request system set-encryption-key unique

Sets the encryption key and enables default configuration file encryption with a unique encryption key that includes the chassis serial number of the device.

When you encrypt configuration files with the unique key, you can decrypt the files on the current device only. You cannot copy encrypt configuration files to another device and decrypt them.

request system set-encryption-key des unique

Sets the encryption key and specifies configuration file encryption by DES with a unique encryption key.

To encrypt configuration files on a device:

  1. Enter operational mode in the CLI.
  2. Configure an encryption key in EEPROM and determine the encryption process; for example, enter the request system set-encryption-key command.
  3. At the prompt, enter the encryption key. The encryption key must have at least six characters.
  4. At the second prompt, reenter the encryption key.
  5. Enter configuration mode in the CLI.
  6. Enable configuration file encryption to take place.
  7. Begin the encryption process by committing the configuration.

Decrypt Configuration Files

Decrypting configuration files means disabling the file encryption on a device, which makes the files readable to all.

To disable the encryption of configuration files on a device:

  1. Enter operational mode in the CLI.
  2. Verify your permission to decrypt configuration files on this device by entering the encryption key for the device.

    Example:

  3. At the second prompt, reenter the encryption key.
  4. Enter configuration mode in the CLI.
  5. Enable configuration file decryption.
  6. Begin the decryption process by committing the configuration.

Modify the Encryption Key

When you modify the encryption key, the configuration files are decrypted and then reencrypted with the new encryption key.

To modify the encryption key:

  1. Enter operational mode in the CLI.
  2. Configure a new encryption key in EEPROM, and determine the encryption process; for example, enter the request system set-encryption-key command.
  3. At the prompt, enter the new encryption key. The encryption key must have at least six characters.
  4. At the second prompt, reenter the new encryption key.