Cisco ASA Series Cli Configuration Manual page 509

Chapter 1 Configuring Basic Settings
Detailed Steps
Command
Step 1
key config-key password-encryption
[new_passphrase [old_passphrase]]
Example:
hostname(config)# key config-key
password-encryption
Old key: bumblebee
New key: haverford
Confirm key: haverford
Step 2
password encryption aes
Example:
hostname(config)# password encryption aes
Step 3
write memory
Example:
hostname(config)# write memory
Purpose
Sets the passphrase used for generating the encryption key. The
passphrase must be between 8 and 128 characters long. All
characters except a backspace and double quotes are accepted
for the passphrase.
If you do not enter the new passphrase in the command, you are
prompted for it.
To change the passphrase, you must enter the old passphrase.
See the "Examples" section on page 1-10
interactive prompts.
Note
Use the interactive prompts to enter passwords to avoid
having the passwords logged in the command history
buffer.
Use the no key config-key password-encrypt command with
caution, because it changes the encrypted passwords into plain
text passwords. You can use the no form of this command when
downgrading to a software version that does not support
password encryption.
Enables password encryption. As soon as password encryption
is enabled and the master passphrase is available, all the user
passwords will be encrypted. The running configuration will
show the passwords in the encrypted format.
If the passphrase is not configured at the time that password
encryption is enabled, the command will succeed in
anticipation that the passphrase will be available in the future.
If you later disable password encryption using the no
password encryption aes command, all existing encrypted
passwords are left unchanged, and as long as the master
passphrase exists, the encrypted passwords will be decrypted,
as required by the application.
Saves the runtime value of the master passphrase and the
resulting configuration. If you do not enter this command,
passwords in startup configuration may still be visible if they
were not saved with encryption previously.
In addition, in multiple context mode the master passphrase is
changed in the system context configuration. As a result, the
passwords in all contexts will be affected. If the write memory
command is not entered in the system context mode, but not in
all user contexts, then the encrypted passwords in user contexts
may be stale. Alternatively, use the write memory all
command in the system context to save all configurations.
Cisco ASA Series CLI Configuration Guide
Configuring the Master Passphrase
for examples of the
1-9