For certain switches in enhanced secure mode, sensitive files and paths are protected. The home directory for enhanced secure mode is /intflash/shared. You cannot access sensitive files using Telnet, SSH, FTP, SFTP, TFTP, and SCP connections. You cannot access sensitive files using CLI commands. Files transferred on the switch through the default path are saved in /intflash/shared.
The following sensitive files and paths are protected in enhanced secure mode:
/intflash/.cert
/intflash/.ike_psk.txt
/intflash/ospf_key.txt
/intflash/ospf_vrfif_key.txt
/intflash/ospf_vrfvif_key.txt
/intflash/.isis_md5key.txt
/intflash/.isis_sha2key.txt
/intflash/.isis_simplekey.txt
/intflash/.shadovfedmoc.txt
/intflash/snmp_usm_moc.txt
/intflash/.snmp_usm_moc_fed.txt
/intflash/snmp_comm_moc.txt
/intflash/.snmp_comm_moc_fed.txt
/intflash/.radsec/profile
/intflash/.ssh/ssh_rsa.key
/intflash/.ssh/ssh_dss.key
/intflash/.ssh/moc_sshc_rsa_file
/intflash/.ssh/moc_sshc_dsa_file
/intflash/.ssh/id_dsa_*
/intflash/.ssh/id_rsa_*
/intflash/server.pem
/intflash/app/server.pem
/intflash/app/restweb/certs/privkey.pem
/intflash/app/restweb/certs/server.pem
/intflash/app/restweb/certs/cert.pem
/intflash/app/slamon/certs/trustcerts.txt
/intflash/ovsdb/keys/privatekey.pem
/intflash/ovsdb/keys/sc-cert.pem
/intflash/.shadov.txt
/intflash/.ntp_keys.txt
cd
copy
move
move
rename
remove
delete
more
edit
dir
mkdir
If you attempt to change the value of the enhancedsecure-mode flag when the system is running, you are prompted to continue or to cancel the action. If you decide to continue, all sensitive files are deleted. You must save the current configuration and then reset the switch for the change to take effect.
When you upgrade the software from versions earlier than VOSS 8.5, even if the enhancedsecure-mode flag is changed, no sensitive files are deleted.
If you upgrade the software to VOSS 8.5, if the enhancedsecure-mode flag is changed, all sensitive files are deleted.
If you enable the boot config flags factorydefaults configuration flag to return an existing switch to factory default configuration, in enhanced secure mode, all sensitive files are deleted. When you enable the factory default optional parameters with default configuration, it preserves the user security files and security mode. For more information, see Enable Factory Default Behavior.
When the switch resets after you enable enhanced secure mode or you upgrade the switch software, all configuration files, such as the runtime, primary, and backup configuration files are copied to /intflash/shared. The system displays the following message:
GlobalRouter SW INFO The runtime config file /intflash/config.cfg is copied to /intflash/shared/config.cfg due to changing ESM mode/upgrade version.
When the switch resets after you disable enhanced secure mode or after you downgrade the switch software, the switch uses the same configuration files as it used before the switch reset, either from /intflash/shared or from /intflash.