Master Password for Configuration Encryption
Junos OS supports encryption method for configuration secrets using a master password. The master password derives an encryption key that uses AES256-GCM to protect certain secrets such as private keys, system master passwords, and other sensitive data by storing it in an AES256 encrypted format. For more information, read this topic.
Using Trusted Platform Module to Bind Secrets on SRX Series Devices
By enabling the Trusted Platform Module (TPM) on the SRX Series devices, the software layer leverages the use of the underlying TPM chip. TPM is a specialized chip that protects certain secrets at rest such as private keys, system primary passwords, and other sensitive data by storing it in an AES256 encrypted format (instead of storing sensitive data in a clear text format). The device also generates a new SHA256 hash of the configuration each time the administrator commits the configuration. This hash is verified each time the system boots up. If the configuration has been tampered with, the verification fails and the device will not continue to boot. Both the encrypted data and the hash of the configuration is protected by the TPM module using the master encryption password.
Hash validation is performed during any commit operation
by performing a validation check of the configuration file against
the saved hash from previous commits. In a chassis cluster system,
hash is independently generated on the backup system as part of the
commit process. A commit from any mode, that is, batch-config
, dynamic-config
, exclusive-config
, or private config
generates the integrity hash.
Hash is saved only for the current configuration and not for any rollback configurations. Hash is not generated during reboot or shutdown of the device.
The TPM encrypts the following secrets:
SHA256 hash of the configuration
device primary-password
all key-pairs on the device
The TPM chip is available on the SRX300, SRX320, SRX340, SRX345, SRX5400, SRX5600, and SRX5800 devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with SRX5K-RE3-128G Routing Engine (RE3). The TPM chip is enabled by default to make use of TPM functionality. You must configure master encryption password to encrypt PKI key-pairs and configuration hash. To configure master encryption password, see Configuring Master Encryption Password.
- Limitations
- Configuring Master Encryption Password
- Verifying the Status of the TPM
- Changing the Master Encryption Password
Limitations
The following limitations and exceptions apply to the configuration file integrity feature using TPM:
This feature is supported only on the SRX300, SRX320, SRX340, SRX345, SRX5400, SRX5600, and SRX5800 devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with RE3.
If the master encryption password is not set, data is stored unencrypted.
The file integrity feature is not supported along with the configuration file encryption feature that uses keys saved in EEPROM. You can enable only one function at a time.
In a chassis cluster, both nodes must have the same TPM settings. This means that both nodes in the chassis cluster must have TPM enabled, or both nodes in the chassis cluster must have TPM disabled. The chassis cluster must not have one node set to TPM enabled and the another node set to TPM disabled.
Configuring Master Encryption Password
Before configuring master encryption password, ensure that you
have configured set system master-password plain-text-password
otherwise, certain sensitive data will not be protected by the TPM.
Set the master encryption password using the following CLI command:
request security tpm master-encryption-password set plain-text-password
You will be prompted to enter the master encryption password twice, to make sure that these passwords match. The master encryption password is validated for required password strength.
After master encryption password is set, the system proceeds to encrypt the sensitive data with the master encryption password which is encrypted by the Master Binding Key that is owned and protected by the TPM chip.
If there is any issue with setting the master encryption password, a critical ERROR message is logged on the console and the process is terminated.
Verifying the Status of the TPM
You can use the show security tpm status
command
to verify the status of the TPM. The following information is displayed:
TPM enabled/disabled
TPM ownership
TPM’s Master Binding Key status (created or not created)
master encryption password status (set or not set)
Starting with Junos
OS Release 15.1X49-D120 and Junos OS Release 17.4R1, Trusted Platform
Module (TPM) firmware has been updated. The upgraded firmware version
provides additional secure cryptography and improves security. Updated
TPM firmware is available along with the Junos OS package. For updating
TPM Firmware, see Upgrading TPM Firmware on SRX-Devices. To confirm the TPM firmware
version, use the show security tpm status
command. TPM Family
and TPM Firmware version
output fields are introduced.
Changing the Master Encryption Password
Changing the master encryption password is done using the CLI.
To change the master encryption password, enter the following command from operational mode:
request security tpm master-encryption-password set plain-text-password
It is recommended that no configuration changes are made while you are changing the master encryption password.
The system checks if the master encryption password is already configured. If master encryption password is configured, then you are prompted to enter the current master encryption password.
The entered master encryption password is validated against the current master encryption password to make sure these master encryption passwords match. If the validation succeeds, you will be prompted to enter the new master encryption password as plain text. You will be asked to enter the key twice to validate the password.
The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You must wait for this process of re-encryption to complete before attempting to change the master encryption password again.
If for some reason, the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.
If the system is compromised, the administrator can recover the system using of the following method:
Clear the TPM ownership in u-boot and then install the image in boot loader using TFTP or USB (if USB port is not restricted).
If the installed software version is older than Junos OS Release 15.1X49-D110 and the master encryption password is enabled, then installation of Junos OS Release 15.1X49-D110 will fail. You must backup the configuration, certificates, key-pairs, and other secrets and use the TFTP/USB installation procedure.