Security: Secure Sensitive Data Management
SSD Properties
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4 369
19
Default and User-defined Passphrases
All devices come with a default, out-of-the box passphrase that is transparent to users. The
default passphrase is never displayed in the configuration file or in the CLI/GUI.
If better security and protection are desired, an administrator should configure SSD on a
device to use a user-defined passphrase instead of the default passphrase. A user-defined
passphrase should be treated as a well-guard secret, so that the security of the sensitive data on
the device is not compromised.
A user-defined passphrase can be configured manually in plain text. It can also be derived
from a configuration file. (See Sensitive Data Zero-Touch Auto Configuration). A device
always displays user-defined passphrases encrypted.
Local Passphrase
A device maintains a local passphrase that is the passphrase of its Running Configuration.
SSD normally performs encryption and decryption of sensitive data with the key generated
from the local passphrase.
The local passphrase can be configured to be either the default passphrase or a user-defined
passphrase. By default, the local passphrase and default passphrase are identical. It can be
changed by administrative actions from either the Command Line Interface (if available) or
the web-based interface. It is automatically changed to the passphrase in the startup
configuration file, when the startup configuration becomes the running configuration of the
device. When a device is reset to factory default, the local passphrase is reset to the default
passphrase.
Configuration File Passphrase Control
File passphrase control provides additional protection for a user-defined passphrase, and the
sensitive data that are encrypted with the key generated from the user-defined passphrase, in
text-based configuration files.
The following are the existing passphrase control modes:
• Unrestricted (default)—The device includes its passphrase when creating a
configuration file. This enables any device accepting the configuration file to learn the
passphrase from the file.
• Restricted—The device restricts its passphrase from being exported into a
configuration file. Restricted mode protects the encrypted sensitive data in a
configuration file from devices that do not have the passphrase. This mode should be
used when a user does not want to expose the passphrase in a configuration file.
To Next Page
Loading...
