Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Master Password for Configuration Encryption

Junos OS and Junos OS Evolved support encryption method for configuration secrets using a master password. The master password derives an encryption key that uses AES256-GCM to protect certain secrets such as private keys, system master passwords, and other sensitive data by storing it in an AES256 encrypted format. For more information, read this topic.

Note:

The master password is separate from the device's root password.

Hardening Shared Secrets in Junos OS

Understanding Hardening Shared Secrets

Existing shared secrets ($9$ format) in Junos OS currently use an obfuscation algorithm, which is not a very strong encryption for configuration secrets. If you want a strong encryption for your configuration secrets, you can configure a master password. The master password is used to derive an encryption key that is used with AES256-GCM to encrypt configuration secrets. This new encryption method uses the $8$ formatted strings.

Starting with Junos OS Release 15.1X49-D50 and Junos OS Evolved Release 22.4R1, new CLI commands are introduced to configure a system master password to provide stronger encryption for configuration secrets. The master password encrypts secrets like the RADIUS password, IKE preshared keys, and other shared secrets in the Junos OS management process (mgd) configuration. The master password itself is not saved as part of the configuration. The password quality is evaluated for strength, and the device gives feedback if weak passwords are used.

The master password is used as input to the password based key derivation function (PBKDF2) to generate an encryption key. the key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM). The plain text that the user enters is processed by the encryption algorithm (with key) to produce the encrypted text (cipher text). See Figure 1

Note:

Enabling Master Password Encryption through the Trusted Platform Module (TPM) can result in increased commit times. This is because of the encryption processing that occurs each time the configuration is committed. The increase in delay varies according to CPU capability and current loading.
Figure 1: Master Password EncryptionMaster Password Encryption

The $8$ configuration secrets can only be shared between devices using the same master password.

The $8$-encrypted passwords have the following format:

$8$crypt-algo$hash-algo$iterations$salt$iv$tag$encrypted. See Table 1 for the master password format details.

Table 1: $8$-encrypted Password Format
Format Description

crypt-algo

Encryption/decryption algorithm to be used. Currently only AES256-GCM is supported.

hash-algo

Hash (prf) algorithm to be used for the PBKDF2 key derivation.

iterations

The number of iterations to use for the PBKDF2 hash function. Current iteration-count default is 100. The iteration count slows the hashing count, thus slowing attacker guesses.

salt

Sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used to salt (a random, but known string) the password and input to the PBKDF2 key derivation.

iv

A sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be used as initialization vector for the AES256-GCM encryption function.

tag

ASCII64-encoded representation of the tag.

encrypted

ASCII64-encoded representation of the encrypted password.

The ASCII64 encoding is Base64 (RFC 4648) compatible, except no padding (character “=”) is used to keep the strings short. For example: $8$aes256-gcm$hmac-sha2-256$100$y/4YMC4YDLU$fzYDI4jjN6YCyQsYLsaf8A$Ilu4jLcZarD9YnyD /Hejww$okhBlc0cGakSqYxKww

Chassis Cluster Considerations

When defining a chassis cluster on SRX Series Firewalls, be aware of the following restrictions:

  • For SRX Series Firewalls, first configure the master password on each node, and then build the cluster. The same master password should be configured on each node.

  • In chassis cluster mode, if Master Encryption Key (MEK) is set, the master password cannot be deleted but you can reset master password. You can only delete master password by zeroize the Routing Engine.

Note:

A change in the master password would mean disruption in chassis clustering; therefore you must change the password on both nodes independently.

Using Trusted Platform Module to Bind Secrets on SRX Series Devices

By enabling the Trusted Platform Module (TPM) on the SRX Series Firewalls, the software layer leverages the use of the underlying TPM chip. TPM is a specialized chip that protects certain secrets at rest such as private keys, system primary passwords, and other sensitive data by storing it in an AES256 encrypted format (instead of storing sensitive data in a clear text format). The device also generates a new SHA256 hash of the configuration each time the administrator commits the configuration. This hash is verified each time the system boots up. If the configuration has been tampered with, the verification fails and the device will not continue to boot. Both the encrypted data and the hash of the configuration is protected by the TPM module using the master encryption password.

Note:

Hash validation is performed during any commit operation by performing a validation check of the configuration file against the saved hash from previous commits. In a chassis cluster system, hash is independently generated on the backup system as part of the commit process. A commit from any mode, that is, batch-config, dynamic-config, exclusive-config, or private config generates the integrity hash.

Note:

Hash is saved only for the current configuration and not for any rollback configurations. Hash is not generated during reboot or shutdown of the device.

The TPM encrypts the following secrets:

  • SHA256 hash of the configuration

  • device primary-password

  • all key-pairs on the device

The TPM chip is available on the SRX300, SRX320, SRX340, SRX345, SRX380 SRX5400, SRX5600, and SRX5800 devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with SRX5K-RE3-128G Routing Engine (RE3).

The TPM chip is enabled by default to make use of TPM functionality. You must configure master encryption password to encrypt PKI key-pairs and configuration hash. To configure master encryption password, see Configuring Master Encryption Password.

Limitations

The following limitations and exceptions apply to the configuration file integrity feature using TPM:

  • This feature is supported only on the SRX300, SRX320, SRX340, SRX345, SRX380, SRX5400, SRX5600, and SRX5800 devices. On SRX5400, SRX5600, and SRX5800 devices, TPM is supported only with RE3.

  • If the master encryption password is not set, data is stored unencrypted.

  • The file integrity feature is not supported along with the configuration file encryption feature that uses keys saved in EEPROM. You can enable only one function at a time.

  • In a chassis cluster, both nodes must have the same TPM settings. This means that both nodes in the chassis cluster must have TPM enabled, or both nodes in the chassis cluster must have TPM disabled. The chassis cluster must not have one node set to TPM enabled and the another node set to TPM disabled.

Note:

After the Master Encryption Key (MEK) is configured and operational, downgrading to a Junos version that does not support TPM functionality is not recommended. This is because the non-TPM capable image is not able to decrypt the secrets that were encrypted by TPM after the device reboots to the non-TPM cable version.

If you must downgrade to a non-TPM capable image you must first zeroize the device. The zeroization process ensures the device does not contain any secrets and removes all the keys. After zeroization the device be downgraded to the desired non-TPM capable image .

Configuring Master Encryption Password

Note:

Before configuring master encryption password, ensure that you have configured set system master-password plain-text-password otherwise, certain sensitive data will not be protected by the TPM.

Set the master encryption password using the following CLI command:

request security tpm master-encryption-password set plain-text-password

You will be prompted to enter the master encryption password twice, to make sure that these passwords match. The master encryption password is validated for required password strength.

After master encryption password is set, the system proceeds to encrypt the sensitive data with the master encryption password which is encrypted by the Master Binding Key that is owned and protected by the TPM chip.

Note:

If there is any issue with setting the master encryption password, a critical ERROR message is logged on the console and the process is terminated.

Verifying the Status of the TPM

You can use the show security tpm status command to verify the status of the TPM. The following information is displayed:

  • TPM enabled/disabled

  • TPM ownership

  • TPM’s Master Binding Key status (created or not created)

  • master encryption password status (set or not set)

Starting with Junos OS Release 15.1X49-D120 and Junos OS Release 17.4R1, Trusted Platform Module (TPM) firmware has been updated. The upgraded firmware version provides additional secure cryptography and improves security. Updated TPM firmware is available along with the Junos OS package. For updating TPM Firmware, see Upgrading TPM Firmware on SRX-Devices. To confirm the TPM firmware version, use the show security tpm status command. TPM Family and TPM Firmware version output fields are introduced.

Changing the Master Encryption Password

Changing the master encryption password is done using the CLI.

To change the master encryption password, enter the following command from operational mode:

request security tpm master-encryption-password set plain-text-password

Note:

It is recommended that no configuration changes are made while you are changing the master encryption password.

The system checks if the master encryption password is already configured. If master encryption password is configured, then you are prompted to enter the current master encryption password.

The entered master encryption password is validated against the current master encryption password to make sure these master encryption passwords match. If the validation succeeds, you will be prompted to enter the new master encryption password as plain text. You will be asked to enter the key twice to validate the password.

The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You must wait for this process of re-encryption to complete before attempting to change the master encryption password again.

If for some reason, the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.

If the system is compromised, the administrator can recover the system using of the following method:

  • Clear the TPM ownership in u-boot and then install the image in boot loader using TFTP or USB (if USB port is not restricted).

Note:

If the installed software version is older than Junos OS Release 15.1X49-D110 and the master encryption password is enabled, then installation of Junos OS Release 15.1X49-D110 will fail. You must backup the configuration, certificates, key-pairs, and other secrets and use the TFTP/USB installation procedure.

Using Trusted Platform Module on MX Series Devices

Trusted Platform Module (TPM) 1.2 is supported on MX240, MX480, MX960, MX2010, MX2020, and MX10003 devices. A master password is used to encrypt the configuration files stored in the device.

To change the master encryption password, enter the following command from operational mode:

request security tpm master-encryption-password set plain-text-password

TPM is used to protect the sensitive data such as master password of system by encryption. TPM supports to encrypt and decrypt the data using keys. To decrypt the encrypted configuration secrets, the master password must be deleted.

You can prevent to delete or change the master password using protect option. Once the master password is protected, you need to apply unprotect option to delete or change the master password. Run with the following steps:

  1. Configure the system master password.

  2. Configure to protect the system master password from deletion.

    The system master password is protected. You can delete the master password by unprotecting the master password.

  3. Configure to unprotect the master password by entering the right master password.

  4. Once the master password is unprotected, you can delete or change the master password on the system.

Limitations

  • If Master Encryption Key (MEK) is deleted, the data cannot be decrypted. To delete MEK, you have to zeroize the device.

  • To downgrade the Routing Engine, you must zeroized the Routing Engine. Once the device is zeroized it can then be safely downgraded to the image which does not support this feature.

  • In dual Routing Engine configuration, if backup Routing Engine needs to be recovered, due to MEK mismatch, GRES needs to be disabled and backup Routing Engine must be zeroized. Once backup Routine Engine comes up, configure MEK using request security tpm master-encryption-password set plain-text-password command on Master RE.

  • In dual Routing Engine configuration, if backup Routing Engine needs to be replaced, new backup Routing Engine must be zeroized first before adding in dual Routing Engine configuration, GRES must be disabled and re-configure MEK on master RE using request security tpm master-encryption-password set plain-text-password command.

  • When you configure OSPF, IS-IS, MACsec, BGP, and VRRP on the device and reset the master password, then there is a time (in seconds) delay for the routing/dot1x subsystem to be active.

  • When you configure master password, MEK, OSPF, IS-IS, MACsec, BGP, and VRRP on the device and reboot the device, then there is a time (in seconds) delay for the routing/dot1x subsystem to be active.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.4R1
Starting with Junos OS Release 15.1X49-D120 and Junos OS Release 17.4R1, Trusted Platform Module (TPM) firmware has been updated. The upgraded firmware version provides additional secure cryptography and improves security. Updated TPM firmware is available along with the Junos OS package. For updating TPM Firmware, see Upgrading TPM Firmware on SRX-Devices. To confirm the TPM firmware version, use the show security tpm status command. TPM Family and TPM Firmware version output fields are introduced.
15.1X49-D50
Starting with Junos OS Release 15.1X49-D50, new CLI commands are introduced to configure a system master password to provide stronger encryption for configuration secrets.