How to use the configuration Encryption Tool
Posted by Elena Brambilla, Last modified by Daniel Lizaola on 22 November 2017 04:20 PM

Encrypted Configuration Download

- An external encryption tool on the PC is used to encrypt the configuration file:

enctool encrypt <plain-config-file> <enc-config-file> [<key>]

- The encrypted confiugration file can then be downloaded with TFTP triggered by

- the CLI copy command:

copy tftp://<host>/<path> <config-file>

- Auto Provisioning

- SNMP

- HTTP

- On the SmartNode the encryption is detected and the configuration file is automatically decrypted
before stored to flash.

- A custom encryption key can be

- downloaded to the SmartWare

- specified with the PC encryption tool

- The encryption key may include the MAC address and/or serial number of the SmartNode using the
placeholders $(system.mac) and $(system.serial) resp.

- An encrypted configuration file can be uploaded to a TFTP server on request, specifying the encrypted
flag:

copy <config-file> tftp://<host>/<path> encrypted

- On the PC the encryption tool can be used to decrypt the file:

enctool decrypt <enc-config-file> <plain-config-file> [<key>]

- A log file lists the last up/downloads:

how log file-transfer

Use Cases

Install a custom encryption key (optional)

You can install a custom encryption key with the SmartNode. The encryption key is used to automatically

decrypt an encrypted configuration file that is downloaded later. A default encryption key is already

installed on the SmartNode.

To install an encryption key you have to create a file on your TFTP server that contains the key. Then you
have to download this key file to the SmartNode using the ‘copy’ command of the SmartNode:

The key file shall contain a key string of at most 24 characters on a single line. Spaces, tabs and LF/CR
characters are trimmed.

The key must not contain LF/CR or the null character and must not start or end
with a space or tab. If the key contains more than 24 characters, only the first 24 characters are
considered.

Part Nr. 80-0165, Rev. 1.13 12-07-05 49/54

The key may contain variables that are resolved when the key file is downloaded to a SmartNode. Using

this mechanism you can specify device-specific encryption keys. We currently support the following
variables:

- $(system.mac): The MAC address of the first ethernet port. Execute the show port ethernet

command on a SmartNode to display the MAC address of a SmartNode. This value without the colon

separators and with all lower-case hexadecimal letters is used instad of the variable on the SmartNode.

- $(system.serial): The serial number of the SmartNode. Execte the show version command on
the SmartNode to display the serial number.

When your key file contains the following line…

123$(system.serial)abc$(system.mac)XYZ

show port ethernet shows the following…

Ethernet Configuration
-------------------------------------
Port : ethernet 0 0 0

State : OPENED

MAC Address : 00:0C:F1:87:D9:09

Speed : 10MBit/s

Duplex : Half

Encapsulation : ip

Binding : interface eth0 router

and show version the following….

Productname : SN1200

Software Version : R3.20 TB2005-06-24_MEYER SIP

Supplier :

Provider :

Subscriber :

Information for Slot 0:

SN1200

Hardware Version : 0004, 0001

Serial number : 100000020002

Software Version : R3.20 TB2005-06-24_MEYER SIP

the encryption key on this SmartNode will be interpreted as…

123100000020002abc000cf187d909XYZ

Then you have to download the created key file to the SmartNode. Open a telnet session and type in the

following commands:  

>enable

#copy tftp://<ip>/<path> key:

where <ip> is the IP address of your TFTP server and <path> is the path to the key file relative to the

TFTP root.  

Encrypt a configuration file

Use the encryption tool to encrypt a configuration file on your PC. Therefore you have to enter the

following command.  

enctool encrypt <plain-file> <encrypted-file> [<key>]

where <plain-file> is the path of the non-encrypted input configuration file and <encrypted-file> is the path

of the encrypted output configuration file. <key> specifies the encryption key which shall be used to

encrypt the configuration file. If ommitted the default key is used.  

Download an encrypted configuration file

Now you can download the configuration file as usual using the CLI copy-command, the autoprovisioning

feature, HTTP or SNMP download. The SmartNode automatically detects that a downloaded

file is encrypted and tries to decrypt the file using the pre-installed key.  

Upload an encrypted configuration file

The SmartNode immediately decrypts a configuration file after downloading it. This is the configuration

file is stored non-encrypted in the flash memory. Thus when you upload a configuration it is uploaded
non-encrypted.

You may upload an encrypted configuration file specifying the encrypted flag at the end of the copy
command:  

#copy startup-config tftp://<ip>/<path> encrpted

This encrypts the configuration file before sending it to the TFTP server. Use the enctool decrypt

command on the PC to regain the original configuration.  

File Transfer Logs

We introduced an additional log file that stores the history of all file transfers (up to 50 entries). To show

all recently executed file transfer operations enter the following command:  

#show log file-transfer
 

(8764 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).