InformationDefines the master key passphrase used for to encrypt the application secret-keys contained in the configuration file for software releases from 8.3(1) and above.
For ASA software releases from 8.3 and below, the VPN preshared keys, Tacacs+/Radius shared keys or Routing protocols authentication passwords are encrypted in the running-configuration once generated. They can be viewed in plain-text when the file is transferred through TFTP or FTP to be stored out of the device. Therefore, if the stored file falls into the hands on an attacker, he/she will have all the passwords and application encryption keys.
From version 8.3(1) and above, the master key passphrase helps to generate the AES encryption key used to encrypt secret-keys both in the running configuration and when the file is exported through TFTP or FTP to be stored in a different location.
It improves the security because the master key is never displayed in the running-configuration.
Solution* Step 1: Set the master key passphrase with the following command:
HOSTNAME (CONFIG)# KEY CONFIG-KEY PASSWORD-ENCRYPTION _<passphrase>_
The passphrase is between 8 and 128 characters long
* Step 2: Enable the AES encryption of existing keys of the running-configuration
HOSTNAME(CONFIG)# PASSWORD ENCRYPTION AES
* Step 3: Run the following for the encryption of keys in the startup-configuration
HOSTNAME(CONFIG)# WRITE MEMORY