The appliance always encrypts passwords, private keys, and other sensitive data before they are written to disk so that hard drive theft would not compromise network security. Specifically, the appliance:
- Encrypts asymmetric private keys using standard OpenSSL passphrase-based AES encryption. Physical appliances store the master encryption key in a non-removable Flash on the motherboard. In the event of a stolen hard disk, malicious actors would not have access to the passphrase required to recover any of the RSA keys, nor could they recover any of the passwords or other secrets encrypted using those keys. You can also set a passphrase for importing or exporting private keys.
- Encrypts passwords and other sensitive data using RSA encryption. By default, the encryption uses the configuration-passwords-key keyring and a 2048-bit RSA key. The appliance also uses this keyring to encrypt sensitive output for CLI commands (such as # (config) security password-display encrypted and # show configuration).