Password encryption policy

The software supports encrypting the passwords of all existing user accounts by enabling password encryption at the device level. By default, the encryption service is enabled.

The following rules apply to password encryption:

When you enable password encryption, all existing clear-text passwords will be encrypted, and subsequently any passwords that are added in clear-text are stored in encrypted format.

There are three levels of password encryption

Encryption Level 0: No encryption, clear text.
Encryption Level 7: AES-256 encryption.

Encryption Level 10: SHA-512 salted HASH format. This is the default encryption level. In the following example, the testuser account password is created in clear text after password encryption has been enabled. The global encryption policy overrides command-level encryption settings, and the password is stored as encrypted.

device(config)# service password-encryption
device(config)# do show running-config service password-encryption
service password-encryption
device(config)# username testuser role testrole desc "Test User" encryption-level 0 password hellothere
device(config)# do show running-config username
username admin password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role admin desc Administrator
username testuser password $6$78rhJxmF0zFKbhu4$0WvJVdRv7.ke07E5sL7m04stPw3XO9hgIxZ/xArDpKCPk6eGTlCn0YBi3xRv856hoiDv8U9eMxxi6ZZNY4CiV/encryption-level 10 role testrole desc "Test User"
username user password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role user desc User

Note

Clear case passwords cannot be configured with Encryption Levels 7 or 10. Clear case can only be used with Encryption Level 0.

When you disable the password encryption service, any new passwords added in clear text will be stored as clear text on the device. Existing encrypted passwords remain encrypted.

In the following example, the testuser account password is stored in clear text after password encryption has been disabled. The default accounts, user and admin remain encrypted.

device(config)# no service password-encryption
device(config)# do show running-config service password-encryption 
no service password-encryption
device(config)# username testuser role testrole desc "Test User" encryption-level 0 password hellothere enable true
device(config)# do show running-config username
username admin password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role admin desc Administrator
username testuser password hellothere encryption-level 0 role testrole desc "Test User"
username user password $6$mAog0c./JxVGu1zy$6wFogQmek0KOEgTav.0DVKXz1vRodc1UCAbipYft/DWnT5R6/Y3qpq7V3JHlhRNVtwguLgXnzdtBDKPKaXbBg/encryption-level 10 role user desc User

If you have passwords with encryption-level 7 on the device, then you can use the exec command

password-encryption
						convert-enc-to-level-10

to upgrade the passwords to encryption-level 10 (SHA-512 hash format) making the passwords more secure. Once this command is executed, all encryption-level 7 passwords are converted to encryption-level 10. However, if you downgrade to a release lower than SLX 20.1.1, these accounts will not be available.

This command is available only to admin users. Any clear-text (encryption-level 0) passwords are retained as is in the configuration database and not converted to encryption-level 10 (SHA-512 hash format). These clear-text passwords can be converted using the service password-encryption configuration command.

In the following example, testuser1 has encryption-level 7, and after running the exec command, the encryption-level is changed to 10.

SLX# show running-config user | inc testuser 
username testuser password "cONW1RQ0nTV9Az42/9uCQg==\n" encryption-level 7 role testrole desc "Test User"
SLX# password-encryption convert-enc-to-level-10
%WARN:This operation will convert all existing user passwords to SHA-512 format. However, the enc level 0 (clear-text) passwords, if any, will be retained as is in the configurationdatabase. These configurations will be lost if the system is downgraded to lower releases than SLX 20.1.1
Do you want to continue? [Y/N]y 
All passwords are converted successfully. 
SLX# show running-config user | inc testuser   
username testuser password $6$gV7A5lDXqcGc8/ma$MEVxe20jaBarALGhmSYw.p3oc9IXVj9xqNUGDnfNABGs.FAqwrM8EPDMvCJcZe/MsY9geY0ej01gma7mWWWTz0
encryption-level 10 role testrole desc "Test User"
SLX#

The exec command password-encryption convert-enc-to-leve-10 is not allowed if there is a configuration rollback in-progress.

SLX# password-encryption convert-enc-to-level-10%WARN:This operation will convert all existing user passwords to SHA-512 format. However, the enc level 0 (clear-text) passwords, if any, will be retained as is in the configuration database. These configurations will be lost if the system is downgraded to lower releases than SLX 20.1.1.
Do you want to continue? [Y/N]y
%%ERROR: Password conversion is not allowed when configuration rollback session is in progress; Please try again later.
SLX#