The software supports encrypting the passwords of all existing user accounts by enabling password encryption at the device level. By default, the encryption service is enabled.
In the following example, the testuser account password is created in clear text after password encryption has been enabled. The global encryption policy overrides command-level encryption settings, and the password is stored as encrypted.
device(config)# service password-encryption device(config)# do show running-config service password-encryption service password-encryption device(config)# username testuser role testrole desc "Test User" encryption-level 0 password hellothere device(config)# do show running-config username username admin password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role admin desc Administrator username testuser password $6$78rhJxmF0zFKbhu4$0WvJVdRv7.ke07E5sL7m04stPw3XO9hgIxZ/xArDpKCPk6eGTlCn0YBi3xRv856hoiDv8U9eMxxi6ZZNY4CiV/encryption-level 10 role testrole desc "Test User" username user password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role user desc User
In the following example, the
testuser account password is stored in clear text after password encryption has
been disabled. The default accounts, user
and
admin
remain encrypted.
device(config)# no service password-encryption device(config)# do show running-config service password-encryption no service password-encryption device(config)# username testuser role testrole desc "Test User" encryption-level 0 password hellothere enable true device(config)# do show running-config username username admin password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role admin desc Administrator username testuser password hellothere encryption-level 0 role testrole desc "Test User" username user password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role user desc User
If you have passwords with encryption-level 7 on the device, then you can use the
exec command password-encryption convert-enc-to-level-10
to upgrade the
passwords to encryption-level 10 (SHA-512 hash format) making the passwords more
secure. Once this command is executed, all encryption-level 7 passwords are
converted to encryption-level 10. However, if you downgrade to a release lower
than SLX 20.1.1, these accounts will not be available.
This command is
available only to admin users. Any clear-text (encryption-level 0) passwords are
retained as is in the configuration database and not converted to
encryption-level 10 (SHA-512 hash format). These clear-text passwords can be
converted using the service password-encryption
configuration
command.
In the following example, testuser1 has encryption-level 7, and after running the exec command, the encryption-level is changed to 10.
SLX# show running-config user | inc testuser username testuser password "cONW1RQ0nTV9Az42/9uCQg==\n" encryption-level 7 role testrole desc "Test User" SLX# password-encryption convert-enc-to-level-10 %WARN:This operation will convert all existing user passwords to SHA-512 format. However, the enc level 0 (clear-text) passwords, if any, will be retained as is in the configurationdatabase. These configurations will be lost if the system is downgraded to lower releases than SLX 20.1.1 Do you want to continue? [Y/N]y All passwords are converted successfully. SLX# show running-config user | inc testuser username testuser password $6$gV7A5lDXqcGc8/ma$MEVxe20jaBarALGhmSYw.p3oc9IXVj9xqNUGDnfNABGs.FAqwrM8EPDMvCJcZe/MsY9geY0ej01gma7mWWWTz0 encryption-level 10 role testrole desc "Test User" SLX#
The
exec command password-encryption convert-enc-to-leve-10
is not allowed if there
is a configuration rollback
in-progress.
SLX# password-encryption convert-enc-to-level-10%WARN:This operation will convert all existing user passwords to SHA-512 format. However, the enc level 0 (clear-text) passwords, if any, will be retained as is in the configuration database. These configurations will be lost if the system is downgraded to lower releases than SLX 20.1.1. Do you want to continue? [Y/N]y %%ERROR: Password conversion is not allowed when configuration rollback session is in progress; Please try again later. SLX#