Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Encrypting and Decrypting Configuration Files

Encrypting configuration file enables you to store configuration data or sensitive information in a configuration file. Decrypting is disabling the encryption of configuration files on a device and make them readable to all.

Note:

Encryption features are not available on all Juniper Networks devices. If so, the Junos OS CLI encryption-related commands described here may be hidden or not function. See your hardware documentation for details.

Encrypting Configuration Files

To configure an encryption key in EEPROM and determine the encryption process, enter one of the request system set-encryption-key commands in operational mode described in Table 1.

Table 1: request system set-encryption-key Commands

CLI Command

Description

request system set-encryption-key

Sets the encryption key and enables default configuration file encryption:

  • AES encryption for the Canada and U.S. version of Junos OS

  • DES encryption for the international version of Junos OS

request system set-encryption-key algorithm des

Sets the encryption key and specifies configuration file encryption by DES.

request system set-encryption-key unique

Sets the encryption key and enables default configuration file encryption with a unique encryption key that includes the chassis serial number of the device.

Configuration files encrypted with the unique key can be decrypted only on the current device. You cannot copy such configuration files to another device and decrypt them.

request system set-encryption-key des unique

Sets the encryption key and specifies configuration file encryption by DES with a unique encryption key.

To encrypt configuration files on a device:

  1. Enter operational mode in the CLI.
  2. Configure an encryption key in EEPROM and determine the encryption process; for example, enter the request system set-encryption-key command.
  3. At the prompt, enter the encryption key. The encryption key must have at least six characters.
  4. At the second prompt, reenter the encryption key.
  5. Enter configuration mode in the CLI.
  6. Enable configuration file encryption to take place.
  7. Begin the encryption process by committing the configuration.

Decrypting Configuration Files

To disable the encryption of configuration files on a device and make them readable to all:

  1. Enter operational mode in the CLI.
  2. Verify your permission to decrypt configuration files on this device by entering the encryption key for the device.
  3. At the second prompt, reenter the encryption key.
  4. Enter configuration mode in the CLI.
  5. Enable configuration file decryption.
  6. Begin the decryption process by committing the configuration.

Modifying the Encryption Key

When you modify the encryption key, the configuration files are decrypted and then reencrypted with the new encryption key.

To modify the encryption key:

  1. Enter operational mode in the CLI.
  2. Configure a new encryption key in EEPROM and determine the encryption process; for example, enter the request system set-encryption-key command.
  3. At the prompt, enter the new encryption key. The encryption key must have at least six characters.
  4. At the second prompt, reenter the new encryption key.