Overview
The chassis key is used to encrypt and decrypt encrypted passwords in the configuration file. If two or more
chassis are configured with the same chassis key value, the encrypted passwords can be decrypted by any of
the chassis sharing the same chassis key value. As a corollary to this, a given chassis key value will not be
able to decrypt passwords that were encrypted with a different chassis key value.
The chassis key is used to generate the chassis ID which is stored in a file and used as the master key for
protecting sensitive data (such as passwords and secrets) in configuration files
For release 15.0 and higher, the chassis ID is an SHA256 hash of the chassis key. The chassis key can be set
by users through a CLI command or via the Quick Setup Wizard. If the chassis ID does not exist, a local MAC
address is used to generate the chassis ID.
For release 19.2 and higher, the user must explicitly set the chassis key through the Quick Setup Wizard or
CLI command. If it is not set, a default chassis ID using the local MAC address will not be generated. In the
absence of a chassis key (and hence the chassis ID), sensitive data will not appear in a saved configuration
file. The chassis ID is the SHA256 hash (encoded in base36 format) of the user entered chassis key plus a
32-byte secure random number. This assures that the chassis key and chassis ID have 32-byte entropy for key
security.
If a chassis ID is not available encryption and decryption for sensitive data in configuration files will not
work.
Configuring a New Chassis Key Value
CLI Commands
Only a user with Security Administrator privilege can execute the chassis key value and chassis keycheck
commands.
Important
Use the Exec mode chassis key value key_string command to enter a new chassis key.
The key_string is an alphanumeric string of 1 through 16 characters. The chassis key is stored as a one-way
encrypted value, much like a password. For this reason, the chassis key value is never displayed in plain-text
form.
The Exec mode chassis keycheck key_string command generates a one-way encrypted key value based on
the entered key_string. The generated encrypted key value is compared against the encrypted key value of the
previously entered chassis key value. If the encrypted values match, the command succeeds and keycheck
passes. If the comparison fails, a message is displayed indicating that the key check has failed. If the default
chassis key (MAC address) is currently being used, this key check will always fail since there will be no
chassis key value to compare against.
Use the chassis keycheck command to verify whether multiple chassis share the same chassis key value.
For release 19.2 and higher, in the absence of an existing chassis ID file the chassis keycheck command
is hidden.
Important
ASR 5500 System Administration Guide, StarOS Release 21.5
47
System Settings
Overview
To Next Page
Loading...
Need help?
General
