Master Password for Configuration Encryption

Understanding Hardening Shared Secrets

Existing shared secrets ($9$ format) in Junos OS currently use an obfuscation algorithm, which is not a very strong encryption for configuration secrets. If you want a strong encryption for your configuration secrets, you can configure a master password. The master password is used to derive an encryption key that is used with AES256-GCM to encrypt configuration secrets. This new encryption method uses the $8$ formatted strings.

Starting with Junos OS Release 15.1X49-D50 and Junos OS Evolved Release 22.4R1, new CLI commands are introduced to configure a system master password to provide stronger encryption for configuration secrets. The master password encrypts secrets like the RADIUS password, IKE preshared keys, and other shared secrets in the Junos OS management process (mgd) configuration. The master password itself is not saved as part of the configuration. The password quality is evaluated for strength, and the device gives feedback if weak passwords are used.

The master password is used as input to the password based key derivation function (PBKDF2) to generate an encryption key. the key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM). The plain text that the user enters is processed by the encryption algorithm (with key) to produce the encrypted text (cipher text). See Figure 1

Note:

Enabling Master Password Encryption through the Trusted Platform Module (TPM) can result in increased commit times. This is because of the encryption processing that occurs each time the configuration is committed. The increase in delay varies according to CPU capability and current loading.

The $8$ configuration secrets can only be shared between devices using the same master password.

The $8$-encrypted passwords have the following format:

$8$crypt-algo$hash-algo$iterations$salt$iv$tag$encrypted. See Table 1 for the master password format details.

Table 1: $8$-encrypted Password Format

Format	Description
crypt-algo	Encryption/decryption algorithm to be used. Currently only AES256-GCM is supported.
hash-algo	Hash (prf) algorithm to be used for the PBKDF2 key derivation.
iterations	The number of iterations to use for the PBKDF2 hash function. Current iteration-count default is 100. The iteration count slows the hashing count, thus slowing attacker guesses.
salt	Sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used to salt (a random, but known string) the password and input to the PBKDF2 key derivation.
iv	A sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used as initialization vector for the AES256-GCM encryption function.
tag	ASCII64-encoded representation of the tag.
encrypted	ASCII64-encoded representation of the encrypted password.

The ASCII64 encoding is Base64 (RFC 4648) compatible, except no padding (character “=”) is used to keep the strings short. For example: $8$aes256-gcm$hmac-sha2-256$100$y/4YMC4YDLU$fzYDI4jjN6YCyQsYLsaf8A$Ilu4jLcZarD9YnyD /Hejww$okhBlc0cGakSqYxKww

Limitations

The following limitations and exceptions apply to the configuration file integrity feature using TPM:

• This feature is supported only on the SRX300, SRX320, SRX340, SRX345, SRX380, SRX5400, SRX5600, and SRX5800 devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with RE3.

• If the master encryption password is not set, data is stored unencrypted.

• The file integrity feature is not supported along with the configuration file encryption feature that uses keys saved in EEPROM. You can enable only one function at a time.

• In a chassis cluster, both nodes must have the same TPM settings. This means that both nodes in the chassis cluster must have TPM enabled, or both nodes in the chassis cluster must have TPM disabled. The chassis cluster must not have one node set to TPM enabled and the another node set to TPM disabled.

Note:

After the Master Encryption Key (MEK) is configured and operational, downgrading to a Junos version that does not support TPM functionality is not recommended. This is because the non-TPM capable image is not able to decrypt the secrets that were encrypted by TPM after the device reboots to the non-TPM cable version.

If you must downgrade to a non-TPM capable image you must first zeroize the device. The zeroization process ensures the device does not contain any secrets and removes all the keys. After zeroization the device be downgraded to the desired non-TPM capable image .

Configuring Master Encryption Password

Note:

Before configuring master encryption password, ensure that you have configured set system master-password plain-text-password otherwise, certain sensitive data will not be protected by the TPM.

Set the master encryption password using the following CLI command:

request security tpm master-encryption-password set plain-text-password

You will be prompted to enter the master encryption password twice, to make sure that these passwords match. The master encryption password is validated for required password strength.

After master encryption password is set, the system proceeds to encrypt the sensitive data with the master encryption password which is encrypted by the Master Binding Key that is owned and protected by the TPM chip.

Note:

If there is any issue with setting the master encryption password, a critical ERROR message is logged on the console and the process is terminated.

Verifying the Status of the TPM

You can use the show security tpm status command to verify the status of the TPM. The following information is displayed:

• TPM enabled/disabled

• TPM ownership

• TPM’s Master Binding Key status (created or not created)

• master encryption password status (set or not set)

Starting with Junos OS Release 15.1X49-D120 and Junos OS Release 17.4R1, Trusted Platform Module (TPM) firmware has been updated. The upgraded firmware version provides additional secure cryptography and improves security. Updated TPM firmware is available along with the Junos OS package. For updating TPM Firmware, see Upgrading TPM Firmware on SRX-Devices. To confirm the TPM firmware version, use the show security tpm status command. TPM Family and TPM Firmware version output fields are introduced.

Changing the Master Encryption Password

Changing the master encryption password is done using the CLI.

To change the master encryption password, enter the following command from operational mode:

request security tpm master-encryption-password set plain-text-password

Note:

It is recommended that no configuration changes are made while you are changing the master encryption password.

The system checks if the master encryption password is already configured. If master encryption password is configured, then you are prompted to enter the current master encryption password.

The entered master encryption password is validated against the current master encryption password to make sure these master encryption passwords match. If the validation succeeds, you will be prompted to enter the new master encryption password as plain text. You will be asked to enter the key twice to validate the password.

The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You must wait for this process of re-encryption to complete before attempting to change the master encryption password again.

If for some reason, the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.

If the system is compromised, the administrator can recover the system using of the following method:

• Clear the TPM ownership in u-boot and then install the image in boot loader using TFTP or USB (if USB port is not restricted).

Note:

If the installed software version is older than Junos OS Release 15.1X49-D110 and the master encryption password is enabled, then installation of Junos OS Release 15.1X49-D110 will fail. You must backup the configuration, certificates, key-pairs, and other secrets and use the TFTP/USB installation procedure.

Limitations

• If Master Encryption Key (MEK) is deleted, the data cannot be decrypted. To delete MEK, you have to zeroize the device.

• To downgrade the Routing Engine, you must zeroized the Routing Engine. Once the device is zeroized it can then be safely downgraded to the image which does not support this feature.

• In dual Routing Engine configuration, if backup Routing Engine needs to be recovered, due to MEK mismatch, GRES needs to be disabled and backup Routing Engine must be zeroized. Once backup Routine Engine comes up, configure MEK using request security tpm master-encryption-password set plain-text-password command on Master RE.

• In dual Routing Engine configuration, if backup Routing Engine needs to be replaced, new backup Routing Engine must be zeroized first before adding in dual Routing Engine configuration, GRES must be disabled and re-configure MEK on master RE using request security tpm master-encryption-password set plain-text-password command.

• When you configure OSPF, IS-IS, MACsec, BGP, and VRRP on the device and reset the master password, then there is a time (in seconds) delay for the routing/dot1x subsystem to be active.

• When you configure master password, MEK, OSPF, IS-IS, MACsec, BGP, and VRRP on the device and reboot the device, then there is a time (in seconds) delay for the routing/dot1x subsystem to be active.