After you have reviewed the FIPS policy, use the fips zeroize all command to zeroize all plain text secrets, private keys and CSPs.
device# fips zeroize all
Syntax: [no] fips zeroize {all | shared-secret | host-keys}
The all option zeroizes all shared secrets and host keys. The shared-secret option zeroizes shared secret keys only. The host-keys option zeroizes host keys only.
It displays KCM key string deletion.
For example,key-string for key-id <key-id> under key chain <keychain-name> is deleted successfully.
For example, entering fips zeroize shared-secret command zeroizes only the shared secret keys of various networking protocols and host access passwords.
Note
The fips zeroize all command may cause operational failure within networking protocols using shared secrets and should be used with careful consideration.The default FIPS policy calls for the zeroization of all keys using the fips zeroize all command option. When you apply a less strict FIPS policy than the default, zeroize at your discretion.
Note
If there are any errors displayed during zeroization for pending SSH or HTTPS sessions in use, then let the Crypto-officer clear the corresponding sessions by either disconnecting the clients remotely or by using the kill ssh or clear web-connection commands.Note
Run the clear ikev2 sa command to manually remove the connection once the FIPS mode is disabled.Note
The fips zeroize all command zeroizes all keys irrespective of the configured FIPS policy.The following table lists the various keys used in the system that are zeroized in compliance with FIPS.
|
Keys used |
|---|
|
IKEv2 DH Group-14 Private Key 2048 bit MODP |
|
IKEv2 DH Group-14 Public Key 2048 bit MODP |
|
IKEv2 DH Group-14 Shared Secret 2048 bit MODP |
|
IKEv2 ECDH Group-19 Private Key (P-256) |
|
IKEv2 ECDH Group-19 Public Key (P-256) |
|
IKEv2 ECDH Group-19 Shared Secret (P-256) |
|
IKEv2 ECDH Group-20 Private Key (P-384) |
|
IKEv2 ECDH Group-20 Public Key (P-384) |
|
IKEv2 ECDH Group-20 Shared Secret (P-384) |
|
IKEv2 ECDSA Private Key (P-256) |
|
IKEv2 ECDSA Private Key (P-384) |
|
IKEv2 ECDSA Public Key (P-256) |
|
IKEv2 ECDSA Public Key (P-384) |
|
IKEv2 Encrypt/Decrypt Key |
|
IKEv2 KDF State |
|
IKEv2 Pre-Shared Key (PSK) |
|
IKEv2/IPSec Authentication Key |
|
IPsec ESP Encrypt/Decrypt Key |
|
Local - Crypto-officer Password |
|
Local - Port Administrator Password |
|
Local - User Password |
|
LP DRBG Internal State LP DRBG Seed LP DRBG Value C LP DRBG Value V |
|
LP DRBG Internal State |
|
LP DRBG Seed |
|
LP DRBG Value C |
|
LP DRBG Value V |
|
MKA Connectivity Association Key (CAK) |
|
MKA Connectivity Key Name (CKN) |
|
MKA Integrity Checksum Key (ICK) |
|
MKA Key Encryption Key (KEK) |
|
MKA Secure Association Key (SAK) |
|
MKA SP800-108 KDF State |
|
MP DRBG Internal State |
|
MP DRBG Key |
|
MP DRBG Seed |
|
MP DRBG Value V |
|
NTP secret |
|
PKI SCEP Enrollment RSA 2048-bit Private Key |
|
PKI SCEP Enrollment RSA 2048-bit Public Key |
|
RADIUS Secret |
|
SNMPv3 KDF State |
|
SNMPv3 secret |
|
SSHv2 Client RSA Private Key |
|
SSHv2 Client RSA Public Key |
|
SSHv2 DH Group-14 Peer Public Key 2048 bit MODP |
|
SSHv2 DH Group-14 Private Key 2048 bit MODP |
|
SSHv2 DH Group-14 Public Key 2048 bit MODP |
|
SSHv2 DH Shared Secret Key (2048 bit) |
|
SSHv2 Host RSA Private Key (2048 bit) |
|
SSHv2 Host RSA Public Key (2048 bit) |
|
SSHv2 KDF Internal State |
|
SSHv2/SCP Authentication Key (HMAC-SHA-1, 160 bits) |
|
SSHv2/SCP Session Keys (128, 192 and 256 bit (AES CBC and AES CTR) |
|
TACACS+ Secret |
|
TLS Authentication Key |
|
TLS Host DH Group-14 Private Key 2048 bit MODP |
|
TLS Host DH Group-14 Public Key 2048 bit MODP |
|
TLS Host RSA Private Key (RSA 2048 bit) |
|
TLS Host RSA Public Key (RSA 2048 bit) |
|
TLS KDF Internal State |
|
TLS Master Secret |
|
TLS Peer DH Group-14 Public Key 2048 bit MODP |
|
TLS Peer Public Key (RSA 2048 bit) |
|
TLS Pre-Master Secret |
|
TLS Session Key |