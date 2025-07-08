On This Page
- System File Encryption
- Cryptographic and Encryption Commands
Cryptography and Encryption
This page contains commands for configuring, generating and modifying x.509 certificates used in the system. Certificates are used for creating a trusted SSL connection to the system.
Crypto commands also cover IPSec configuration commands used for establishing a secure connection between hosts over IP layer which is useful for transferring sensitive information.
This feature encrypts all sensitive data on NVIDIA systems including logs certificates, keys, etc.
To activate encryption on the switch:
Enable encryption and configure key location as USB (if you are using a USB device). Run:
switch(config)# crypto encrypt-data key-location usb key mypassword Warning! All sensitive files are about to be encrypted - System will perform reset factory, configuration files will be preserved - System will be rebooted - Active configuration will be preserved - Do not power-off, wait
forthe system to boot Type
'YES'to confirm
thisaction: YESNote
***IMPORTANT***
Encryption and decryption perform “reset factory keep-config” on the switch system once configured. This means that sysdumps, logs, and images are deleted.Note
The key may be saved locally as well by using the parameter “local” instead of “usb” but that configuration is less secure.
After the system reboots, verify configuration. Run:
switch(config)# show crypto encrypt-data Sensitive files encryption: Status: enabled Key location: usb Cipher: aes256Note
Once encryption is enabled, reverting back to an older version while encrypted is not possible. The command “no crypto encrypt-data” must be run before attempting to downgrade to an older OS version.Note
If encryption is enabled, upgrading to a new OS version maintains the encryption configuration.
crypto encrypt-data
crypto encrypt-data key-location <local | usb> key <password>
no crypto encrypt-data
Enables and configures system file encryption.
The no form of the command decrypts sensitive information on the system.
Syntax Description
key-location
Configures where to store the encryption key:
key
Configures a key
Default
N/A
Configuration Mode
config
History
3.6.1002
Example
Related Commands
show crypto certificate
Notes
crypto ipsec ike
crypto ipsec ike {clear sa [peer {any | <IPv4 or IPv6 address>} local <IPv4 or IPv6 address>] | restart}
Manages the IKE (ISAKMP) process or database state.
Syntax Description
clear
Clears IKE (ISAKMP) peering state
sa
Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected)
peer
Clears security associations for the specified IKE peer (remote peers are affected)
IPv4 or IPv6 address
Clears security associations for the specified IKE peering (remote peer is affected)
local
Clear security associations for the specified/all IKE peering (remote peer is affected)
restart
Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected)
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
switch (config)# crypto ipsec ike restart
Related Commands
show crypto certificate
Notes
crypto ipsec peer local
crypto ipsec peer local {enable | keying {ike negotiation {ikev1 | ikev2} | [auth { hmac-sha1 | hmac-sha256 | hmac-sha512 | aes-xcbc} | dh-group | disable | encrypt { 3des-cbc| aes-cbc | aes-gcm} | exchange-mode | lifetime | local | mode | peer-identity | pfs-group | preshared-key | prompt-preshared-key | transform-set] | manual [auth | disable | encrypt | local-spi | mode | remote-spi]}}
Configures IPSec in the system.
Syntax Description
enable
Enables IPSec peering.
ike
Configures IPSec peering using IKE ISAKMP to manage SA keys. The following optional parameters are available:
keying
Configures key management for this IPSec peering.
manual
Configures IPSec peering using manual keys.
Default
N/A
Configuration Mode
config
History
3.2.3000
3.9.3100: Added support for IKEv2 and new ciphers
Example
switch (config)# crypto ipsec peer 10.10.10.10 local 10.7.34.139 enable
Related Commands
show crypto certificate
Notes
As of version 3.9.3100,
NULL will not be supported as an authentication or encryption algorithm for IPsec peering. New ciphers are supported (hmac-sha512 and aes-xcbc for authentication and aes-gcm for encryption. 1, 2, 5, 22, 23, 24 pfs/dh-groups will not be supported, while 19, 20, 21 will be supported only with IKEv2. The transform-set options ah-and-esp-ah are no longer supported. Libreswan is used instead of openswan.
crypto certificate ca-list
crypto certificate ca-list [default-ca-list name {<cert-name> | system-self-signed}]
no crypto certificate ca-list [default-ca-list name {<cert-name> | system-self-signed}]
Adds the specified CA certificate to the default CA certificate list.
The no form of the command removes the certificate from the default CA certificate list.
Syntax Description
cert-name
The name of the certificate
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
switch (config) # crypto certificate default-cert name test
Related Commands
show crypto certificate
Notes
crypto certificate default-cert
crypto certificate default-cert name {<cert-name> | system-self-signed}
no crypto certificate default-cert name {<cert-name> | system-self-signed}
Designates the named certificate as the global default certificate role for authentication of this system to clients.
The no form of the command reverts the default-cert name to “system-self-signed” (the “cert-name” value is optional and ignored).
Syntax Description
cert-name
The name of the certificate
Default
N/A
Configuration Mode
config
History
3.2.3000
Example
switch (config) # crypto certificate default-cert name test
Related Commands
show crypto certificate
Notes
crypto certificate generation
crypto certificate generation default {country-code | days-valid > | ca-valid <true/false> | email-addr | hash-algorithm {sha1 | sha256} | key-size-bits | locality | org-unit | organization | state-or-prov}
Configures default values for certificate generation.
Syntax Description
country-code
Configures the default certificate value for country code with a two-alphanumeric-character code or -- for none.
days-valid
Configures the default certificate valid days
Default value: 365 days
email-addr
Configures the default certificate value for email address
hash-algorithm {sha1 | sha256}
Configures the default certificate hashing algorithm
key-size-bits
Configures the default certificate value for private key size (private key length in bits—at least 1024, but 2048 is strongly recommended)
locality
Configures the default certificate value for locality
org-unit
Configures the default certificate value for organizational unit
organization
Configures the default certificate value for the organization name
state-or-prov
Configures the default certificate value for state or province
ca-valid {true | false}
Configures the default certificate CA Basic Constraints flag set to TRUE/FALSE
Default
hash-algorithm – sha1
Configuration Mode
config
History
3.2.1000
3.3.4350: Added “hash-algorithm” parameter
3.6.4000: Added “days-valid” parameter
3.8.2100: Added "ca-valid" parameter
Example
switch (config) # crypto certificate generation default hash-algorithm sha256
Related Commands
show crypto certificate
Notes
crypto certificate name
crypto certificate name {<cert-name> | system-self-signed} {comment <new comment> | generate selfsigned [comment <cert-comment> | common-name <domain> | country-code <code> | days-valid <days> | ca-valid <true/false> | email-addr <address> | hash-algorithm {sha1 | sha256} | key-size-bits <bits> | locality <name> | org-unit <name> | organization <name> | serial-num <number> | state-or-prov <name>]} | private-key pem <PEM string> | prompt-private-key | public-cert [comment <comment string> | pem <PEM string>] | regenerate days-valid <days> | ca-valid <true/false> | rename <new name>}
no crypto certificate name <cert-name>
Configures default values for certificate generation.
The no form of the command clears/deletes certain certificate settings.
Syntax Description
cert-name
Unique name by which the certificate is identified.
comment
Specifies a certificate comment.
generate self-signed
Generates certificates. This option has the following parameters which may be entered sequentially in any order:
private-key pem
Specifies certificate contents in PEM format
prompt-private-key
Prompts for certificate private key with secure echo
public-cert
Installs a certificate
regenerate
Regenerates the named certificate using configured certificate generation default values for the specified validity period
rename
Renames the certificate
Default
N/A
Configuration Mode
config
History
3.2.3000
3.3.4402: Added “hash-algorithm” parameter
3.6.4000: Added “days-valid” parameter
3.8.2100: Added "ca-valid" parameter
Example
switch (config) # crypto certificate name system-self-signed generate self-signed hash-algorithm sha256
Related Commands
show crypto certificate
Notes
crypto certificate system-self-signed
crypto certificate system-self-signed regenerate {[days-valid <days>] | ca-valid <true/false>}
Configures default values for certificate generation.
Syntax Description
days-valid
Specifies the number of days the certificate is valid
ca-valid
Specifies certificate CA Basic Constraints flag set to TRUE/FALSE
Default
N/A
Configuration Mode
config
History
3.2.1000
3.8.2100: Added the ca-valid option
Example
switch (config) # crypto certificate system-self-signed regenerate days-valid 3
switch (config) # crypto certificate system-self-signed regenerate ca-valid false
Related Commands
show crypto certificate
Notes
show crypto certificate
show crypto certificate [detail | public-pem | default-cert [detail | public-pem] | [name <cert-name> [detail | public-pem] | ca-list [default-ca-list]]
Displays information about all certificates in the certificate database.
Syntax Description
ca-list
Displays the list of supplemental certificates configured for the global default system CA certificate role
default-ca-list
Displays information about the currently configured default certificates of the CA list
default-cert
Displays information about the currently configured default certificate
detail
Displays all attributes related to the certificate
name
Displays information about the certificate specified
public-pem
Displays the uninterpreted public certificate as a PEM formatted data string
Default
N/A
Configuration Mode
config
History
3.2.1000
3.8.2100: Updated output
Example
switch (config) # show crypto certificate
Certificate with name 'system-self-signed' (default-cert)
X509 Extensions:
Related Commands
Notes
show crypto encrypt-data
show encrypt-data
Displays sensitive data encryption information.
Syntax Description
N/A
Default
N/A
Configuration Mode
config
History
3.6.1002
Example
switch (config)# show crypto encrypt-data
Related Commands
Notes
show crypto ipsec
show crypto ipsec [brief | configured | ike | policy | sa]
Displays information ipsec configuration.
Syntax Description
N/A
Default
N/A
Configuration Mode
config
History
3.2.1000
Example
switch (config)# show crypto ipsec
Related Commands
Notes