Cryptography and Encryption

NVIDIA Docs Hub NVIDIA Networking Networking Software Switch Software NVIDIA Onyx User Manual v3.10.4006 Cryptography and Encryption

System File Encryption

This feature encrypts all sensitive data on NVIDIA systems including logs certificates, keys, etc.

To activate encryption on the switch:

Enable encryption and configure key location as USB (if you are using a USB device). Run:

Copy
Copied!

            
            switch (config)# crypto encrypt-data key-location usb key mypassword
 
Warning! All sensitive files are about to be encrypted
- System will perform reset factory, configuration files will be preserved
- System will be rebooted
- Active configuration will be preserved
- Do not power-off, wait for the system to boot
 
Type 'YES' to confirm this action: YES

Warning

***IMPORTANT***

Encryption and decryption perform “reset factory keep-config” on the switch system once configured. This means that sysdumps, logs, and images are deleted.

Warning

The key may be saved locally as well by using the parameter “local” instead of “usb” but that configuration is less secure.

After the system reboots, verify configuration. Run:
Copy

Copied!
```
            
            switch (config)# show crypto encrypt-data
Sensitive files encryption:
   Status:          enabled
   Key location:    usb
   Cipher:          aes256
        
```
Warning

Once encryption is enabled, reverting back to an older version while encrypted is not possible. The command “no crypto encrypt-data” must be run before attempting to downgrade to an older OS version.

Warning

If encryption is enabled, upgrading to a new OS version maintains the encryption configuration.

Cryptographic and Encryption Commands

crypto encrypt-data

	crypto encrypt-data key-location <local \| usb> key <password> no crypto encrypt-data Enables and configures system file encryption. The no form of the command decrypts sensitive information on the system.
Syntax Description	key-location	Configures where to store the encryption key: local—stores the key locally usb—stores the key on a USB device
Syntax Description	key	Configures a key
Default	N/A
Configuration Mode	config
History	3.6.1002
Example
Related Commands	show crypto certificate
Notes	It is recommended to store the encryption password on a USB device rather than locally Enabling encryption may slightly slow system performance If the key is stored on the USB, it must be plugged into the switch in order for the switch to boot. After the switch has booted, the USB key is no longer required and, for security purposes, it is recommended to remove it after running “usb eject”. The USB key may be needed again if the switch is rebooted or if the switch needs to be decrypted.

crypto ipsec ike

	crypto ipsec ike {clear sa [peer {any \| <IPv4 or IPv6 address>} local <IPv4 or IPv6 address>] \| restart} Manages the IKE (ISAKMP) process or database state.
Syntax Description	clear	Clears IKE (ISAKMP) peering state
	sa	Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected)
	peer	Clears security associations for the specified IKE peer (remote peers are affected) all—clears security associations for all IKE peerings with a specific local address (remote peers are affected) IPv4 or IPv6 address—clears security associations for specific IKE peering with a specific local address (remote peers are affected)
	IPv4 or IPv6 address	Clears security associations for the specified IKE peering (remote peer is affected)
	local	Clear security associations for the specified/all IKE peering (remote peer is affected)
	restart	Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected)
Default	N/A
Configuration Mode	config
History	3.2.3000
Example	switch (config)# crypto ipsec ike restart
Related Commands	show crypto certificate
Notes

crypto ipsec peer local

	crypto ipsec peer local {enable \| keying {ike negotiation {ikev1 \| ikev2} \| [auth { hmac-sha1 \| hmac-sha256 \| hmac-sha512 \| aes-xcbc} \| dh-group \| disable \| encrypt { 3des-cbc\| aes-cbc \| aes-gcm} \| exchange-mode \| lifetime \| local \| mode \| peer-identity \| pfs-group \| preshared-key \| prompt-preshared-key \| transform-set] \| manual [auth \| disable \| encrypt \| local-spi \| mode \| remote-spi]}} Configures IPSec in the system.
Syntax Description	enable	Enables IPSec peering.
	ike	Configures IPSec peering using IKE ISAKMP to manage SA keys. The following optional parameters are available: auth—configures the authentication algorithm for IPSec peering dh-group—configures the phase1 Diffie-Hellman group proposed for secure IKE key exchange disable—configures this IPSec peering administratively disabled encrypt—configures the encryption algorithm for IPSec peering exchange-mode—configures the IKE key exchange mode to propose for peering lifetime—configures the SA lifetime to propose for this IPSec peering local-identity—configures the ISAKMP payload identification value to send as local endpoint's identity mode—configures the peering mode for this IPSec peering peer-identity—configures the identification value to match against the peer's ISAKMP payload identification pfs-group—configures the phase2 PFS (Perfect Forwarding Secrecy) group to propose for Diffie-Hellman exchange for this IPSec peering preshared-key—configures the IKE pre-shared key for the IPSec peering prompt-preshared-key—prompts for the pre-shared key, rather than entering it on the command line transform-set—configures transform proposal parameters
	keying	Configures key management for this IPSec peering. auth—configures the authentication algorithm for this IPSec peering disable—configures this IPSec peering administratively disabled encrypt—configures the encryption algorithm for this IPSec peering local-spi—configures the local SPI for this manual IPSec peering mode—configures the peering mode for this IPSec peering remote-spi—configures the remote SPI for this manual IPSec peering
	manual	Configures IPSec peering using manual keys.
Default	N/A
Configuration Mode	config
History	3.2.3000 3.9.3100: Added support for IKEv2 and new ciphers
Example	switch (config)# crypto ipsec peer 10.10.10.10 local 10.7.34.139 enable
Related Commands	show crypto certificate
Notes	As of version 3.9.3100, NULL will not be supported as an authentication or encryption algorithm for IPsec peering. New ciphers are supported (hmac-sha512 and aes-xcbc for authentication and aes-gcm for encryption. 1, 2, 5, 22, 23, 24 pfs/dh-groups will not be supported, while 19, 20, 21 will be supported only with IKEv2. The transform-set options ah-and-esp-ah are no longer supported. Libreswan is used instead of openswan.

crypto certificate ca-list

	crypto certificate ca-list [default-ca-list name {<cert-name> \| system-self-signed}] no crypto certificate ca-list [default-ca-list name {<cert-name> \| system-self-signed}] Adds the specified CA certificate to the default CA certificate list. The no form of the command removes the certificate from the default CA certificate list.
Syntax Description	cert-name	The name of the certificate
Default	N/A
Configuration Mode	config
History	3.2.3000
Example	switch (config) # crypto certificate default-cert name test
Related Commands	show crypto certificate
Notes	Two certificates with the same subject and issuer fields cannot both be placed onto the CA list The no form of the command does not delete the certificate from the certificate database Unless specified otherwise, applications that use CA certificates will still consult the well-known certificate bundle before looking at the default-ca-list

crypto certificate default-cert

	crypto certificate default-cert name {<cert-name> \| system-self-signed} no crypto certificate default-cert name {<cert-name> \| system-self-signed} Designates the named certificate as the global default certificate role for authentication of this system to clients. The no form of the command reverts the default-cert name to “system-self-signed” (the “cert-name” value is optional and ignored).
Syntax Description	cert-name	The name of the certificate
Default	N/A
Configuration Mode	config
History	3.2.3000
Example	switch (config) # crypto certificate default-cert name test
Related Commands	show crypto certificate
Notes	A certificate must already be defined before it can be configured in the default-cert role If the named default-cert is deleted from the database, the default-cert automatically becomes reconfigured to the factory default, the “system-self-signed” certificate

crypto certificate generation

	crypto certificate generation default {country-code \| days-valid > \| ca-valid <true/false> \| email-addr \| hash-algorithm {sha1 \| sha256} \| key-size-bits \| locality \| org-unit \| organization \| state-or-prov} Configures default values for certificate generation.
Syntax Description	country-code	Configures the default certificate value for country code with a two-alphanumeric-character code or -- for none.
	days-valid	Configures the default certificate valid days Default value: 365 days
	email-addr	Configures the default certificate value for email address
	hash-algorithm {sha1 \| sha256}	Configures the default certificate hashing algorithm
	key-size-bits	Configures the default certificate value for private key size (private key length in bits—at least 1024, but 2048 is strongly recommended)
	locality	Configures the default certificate value for locality
	org-unit	Configures the default certificate value for organizational unit
	organization	Configures the default certificate value for the organization name
	state-or-prov	Configures the default certificate value for state or province
	ca-valid {true \| false}	Configures the default certificate CA Basic Constraints flag set to TRUE/FALSE
Default	hash-algorithm – sha1
Configuration Mode	config
History	3.2.1000 3.3.4350: Added “hash-algorithm” parameter 3.6.4000: Added “days-valid” parameter 3.8.2100: Added "ca-valid" parameter
Example	switch (config) # crypto certificate generation default hash-algorithm sha256
Related Commands	show crypto certificate
Notes

crypto certificate name

	crypto certificate name {<cert-name> \| system-self-signed} {comment <new comment> \| generate selfsigned [comment <cert-comment> \| common-name <domain> \| country-code <code> \| days-valid <days> \| ca-valid <true/false> \| email-addr <address> \| hash-algorithm {sha1 \| sha256} \| key-size-bits <bits> \| locality <name> \| org-unit <name> \| organization <name> \| serial-num <number> \| state-or-prov <name>]} \| private-key pem <PEM string> \| prompt-private-key \| public-cert [comment <comment string> \| pem <PEM string>] \| regenerate days-valid <days> \| ca-valid <true/false> \| rename <new name>} no crypto certificate name <cert-name> Configures default values for certificate generation. The no form of the command clears/deletes certain certificate settings.
Syntax Description	cert-name	Unique name by which the certificate is identified.
	comment	Specifies a certificate comment.
	generate self-signed	Generates certificates. This option has the following parameters which may be entered sequentially in any order: comment—specifies a certificate comment (free string) common-name—specifies the common name of the issuer and subject (e.g. a domain name) country-code—specifies the country codwo-alphanumeric-character country code, or “--” for none) days-valid—specifies the number of days the certificate is valid email-addr— s pecifies the email address hash-algorithm—specifies the hashing function used for signature algorithm. Default value is SHA256. key-size-bits—specifies the size of the private key in bits (private key length in bits - at least 1024 but 2048 is strongly recommended) locality—specifies the locality name org-unit—specifies the organizational unit name organization—specifies the organization name serial-num—specifies the serial number for the certificate (a lower-case hexadecimal serial number prefixed with “0x”) state-or-prov—specifies the state or province name ca-valid—Specifies certificate CA Basic Constraints flag set to TRUE/FALSE
	private-key pem	Specifies certificate contents in PEM format
	prompt-private-key	Prompts for certificate private key with secure echo
	public-cert	Installs a certificate
	regenerate	Regenerates the named certificate using configured certificate generation default values for the specified validity period
	rename	Renames the certificate
Default	N/A
Configuration Mode	config
History	3.2.3000 3.3.4402: Added “hash-algorithm” parameter 3.6.4000: Added “days-valid” parameter 3.8.2100: Added "ca-valid" parameter
Example	switch (config) # crypto certificate name system-self-signed generate self-signed hash-algorithm sha256
Related Commands	show crypto certificate
Notes

crypto certificate system-self-signed

	crypto certificate system-self-signed regenerate {[days-valid <days>] \| ca-valid <true/false>} Configures default values for certificate generation.
Syntax Description	days-valid	Specifies the number of days the certificate is valid
Syntax Description	ca-valid	Specifies certificate CA Basic Constraints flag set to TRUE/FALSE
Default	N/A
Configuration Mode	config
History	3.2.1000 3.8.2100: Added the ca-valid option
Example	switch (config) # crypto certificate system-self-signed regenerate days-valid 3 switch (config) # crypto certificate system-self-signed regenerate ca-valid false
Related Commands	show crypto certificate
Notes

show crypto certificate

	show crypto certificate [detail \| public-pem \| default-cert [detail \| public-pem] \| [name <cert-name> [detail \| public-pem] \| ca-list [default-ca-list]] Displays information about all certificates in the certificate database.
Syntax Description	ca-list	Displays the list of supplemental certificates configured for the global default system CA certificate role
	default-ca-list	Displays information about the currently configured default certificates of the CA list
	default-cert	Displays information about the currently configured default certificate
	detail	Displays all attributes related to the certificate
	name	Displays information about the certificate specified
	public-pem	Displays the uninterpreted public certificate as a PEM formatted data string
Default	N/A
Configuration Mode	config
History	3.2.1000 3.8.2100: Updated output
Example
switch (config) # show crypto certificate Certificate with name 'system-self-signed' (default-cert) Comment: system-generated self-signed certificate Private Key: present Serial Number: 0x546c935511bcafc21ac0e8249fbe0844 SHA-1 Fingerprint: fe6df38dd26801971cb2d44f62dbe492b6063c5f Validity: Starts: 2012/12/02 13:45:05 Expires: 2013/12/02 13:45:05 Subject: Common Name: IBM-DEV-Bay4 Country: IS State or Province: Locality: Organization: Organizational Unit: E-mail Address: Issuer: Common Name: IBM-DEV-Bay4 Country: IS State or Province: Locality: Organization: Organizational Unit: E-mail Address: X509 Extensions: Basic Constraints: CA: TRUE
Related Commands
Notes

show crypto encrypt-data

	show encrypt-data Displays sensitive data encryption information.
Syntax Description	N/A
Default	N/A
Configuration Mode	config
History	3.6.1002
Example	switch (config)# show crypto encrypt-data Sensitive files encryption: Status: enabled Key location: usb Cipher: aes256
Related Commands
Notes

show crypto ipsec

	show crypto ipsec [brief \| configured \| ike \| policy \| sa] Displays information ipsec configuration.
Syntax Description	N/A
Default	N/A
Configuration Mode	config
History	3.2.1000
Example	switch (config)# show crypto ipsec IPSec Summary ------------- Crypto IKE is using pluto (Openswan) daemon. Daemon process state is stopped. No IPSec peers configured. IPSec IKE Peering State ----------------------- Crypto IKE is using pluto (Openswan) daemon. Daemon process state is stopped. No active IPSec IKE peers. IPSec Policy State ------------------ No active IPSec policies. IPSec Security Association State -------------------------------- No active IPSec security associations.
Related Commands
Notes

Cryptography and Encryption

On This Page