How to use the configuration Encryption Tool
Posted by Elena Brambilla, Last modified by Daniel Lizaola on 22 November 2017 04:20 PM
|
|
Encrypted Configuration Download - An external encryption tool on the PC is used to encrypt the configuration file: enctool encrypt <plain-config-file> <enc-config-file> [<key>] - The encrypted confiugration file can then be downloaded with TFTP triggered by - the CLI copy command: copy tftp://<host>/<path> <config-file> - Auto Provisioning - SNMP - HTTP - On the SmartNode the encryption is detected and the configuration file is automatically decrypted - A custom encryption key can be - downloaded to the SmartWare - specified with the PC encryption tool - The encryption key may include the MAC address and/or serial number of the SmartNode using the - An encrypted configuration file can be uploaded to a TFTP server on request, specifying the encrypted copy <config-file> tftp://<host>/<path> encrypted - On the PC the encryption tool can be used to decrypt the file: enctool decrypt <enc-config-file> <plain-config-file> [<key>] - A log file lists the last up/downloads: how log file-transfer Use Cases Install a custom encryption key (optional) You can install a custom encryption key with the SmartNode. The encryption key is used to automatically decrypt an encrypted configuration file that is downloaded later. A default encryption key is already installed on the SmartNode. To install an encryption key you have to create a file on your TFTP server that contains the key. Then you The key file shall contain a key string of at most 24 characters on a single line. Spaces, tabs and LF/CR The key must not contain LF/CR or the null character and must not start or end Part Nr. 80-0165, Rev. 1.13 12-07-05 49/54 The key may contain variables that are resolved when the key file is downloaded to a SmartNode. Using this mechanism you can specify device-specific encryption keys. We currently support the following - $(system.mac): The MAC address of the first ethernet port. Execute the show port ethernet command on a SmartNode to display the MAC address of a SmartNode. This value without the colon separators and with all lower-case hexadecimal letters is used instad of the variable on the SmartNode. - $(system.serial): The serial number of the SmartNode. Execte the show version command on When your key file contains the following line… 123$(system.serial)abc$(system.mac)XYZ show port ethernet shows the following… Ethernet Configuration State : OPENED MAC Address : 00:0C:F1:87:D9:09 Speed : 10MBit/s Duplex : Half Encapsulation : ip Binding : interface eth0 router and show version the following…. Productname : SN1200 Software Version : R3.20 TB2005-06-24_MEYER SIP Supplier : Provider : Subscriber : Information for Slot 0: SN1200 Hardware Version : 0004, 0001 Serial number : 100000020002 Software Version : R3.20 TB2005-06-24_MEYER SIP the encryption key on this SmartNode will be interpreted as… 123100000020002abc000cf187d909XYZ Then you have to download the created key file to the SmartNode. Open a telnet session and type in the following commands: >enable #copy tftp://<ip>/<path> key: where <ip> is the IP address of your TFTP server and <path> is the path to the key file relative to the TFTP root. Encrypt a configuration file Use the encryption tool to encrypt a configuration file on your PC. Therefore you have to enter the following command. enctool encrypt <plain-file> <encrypted-file> [<key>] where <plain-file> is the path of the non-encrypted input configuration file and <encrypted-file> is the path of the encrypted output configuration file. <key> specifies the encryption key which shall be used to encrypt the configuration file. If ommitted the default key is used. Download an encrypted configuration file Now you can download the configuration file as usual using the CLI copy-command, the autoprovisioning feature, HTTP or SNMP download. The SmartNode automatically detects that a downloaded file is encrypted and tries to decrypt the file using the pre-installed key. Upload an encrypted configuration file The SmartNode immediately decrypts a configuration file after downloading it. This is the configuration file is stored non-encrypted in the flash memory. Thus when you upload a configuration it is uploaded You may upload an encrypted configuration file specifying the encrypted flag at the end of the copy #copy startup-config tftp://<ip>/<path> encrpted This encrypts the configuration file before sending it to the TFTP server. Use the enctool decrypt command on the PC to regain the original configuration. File Transfer Logs We introduced an additional log file that stores the history of all file transfers (up to 50 entries). To show all recently executed file transfer operations enter the following command: #show log file-transfer | |
|