1.1.3 Ensure 'Master Key Passphrase' is set


Defines the master key passphrase used to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.


For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.

From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.

It improves the security because the master key is never displayed in the running-configuration.


Step 1: Set the master key passphrase with the following command:

hostname (config)# key config-key password-encryption <passphrase>

The passphrase is between 8 and 128 characters long

Step 2: Enable the AES encryption of existing keys of the running-configuration

hostname(config)# password encryption aes

Step 3: Run the following for the encryption of keys in the startup-configuration

hostname(config)# write memory

See Also


Item Details


References: 800-53|SC-12, CSCv7|18.5

Plugin: Cisco

Control ID: c0ff3c641962b6da00a75034fe29b91aaf6914e1c4d53bc29a153f48295b329e