 |
Note: You must have superuser privileges to encrypt or decrypt configuration files. |
Configuration files contain sensitive information such as IP addresses. By default, the device stores configuration files in unencrypted format on an external compact flash. This storage method is considered a security risk because the compact flash can easily be removed from the device. To prevent unauthorized users from viewing sensitive information in configuration files, you can encrypt them.
If your device runs the Canada and U.S. version of JUNOS software with enhanced services, the configuration files can be encrypted with the Advanced Encryption Standard (AES) or Data Encryption Standard (DES) encryption algorithms. If your device runs the international version of JUNOS software with enhanced services, the files can be encrypted only with DES.
To prevent unauthorized access, the encryption key is stored in the device's EEPROM. You can copy the encrypted configuration files to another device and decrypt them if that device has the same encryption key. To prevent encrypted configuration files from being copied to another device and decrypted, you can set a unique encryption key that contains the chassis serial number of your device. Configuration files that are encrypted with a unique encryption key cannot be decrypted on any other device.
The encryption process encrypts only the configuration files in the /config and /var/db/config directories. Files in subdirectories under these directories are not encrypted. The filenames of encrypted configuration files have the extension .gz.jc—for example, juniper.conf.gz.jc.
|
Note: You must have superuser privileges to encrypt or decrypt configuration files. |
This section contains the following topics: