Share encrypted passwords and hashed passwords with another EdgeSWG (formerly ProxySG) appliance or While restoring the backup to new VM getting error "% Password could not be decrypted: RSA decryption failed".
search cancel

Share encrypted passwords and hashed passwords with another EdgeSWG (formerly ProxySG) appliance or While restoring the backup to new VM getting error "% Password could not be decrypted: RSA decryption failed".

book

Article ID: 243331

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

For better security, the EdgeSWG appliance secures passwords that are stored in configuration.

  • It hashes passwords that the appliance uses to authenticate users, such as those for console accounts, privileged mode, secure serial port, and local user list users.
  • It encrypts passwords that the appliance uses to authenticate itself to outside services, such as access log clients, RADIUS secrets, LDAP search, and content filter downloads.

Note: In FIPS mode, the appliance encrypts all passwords. Version 6.7.x supports FIPS mode.

If you back up the EdgeSWG configuration, passwords are included in the configuration archives (see KB165985 and Archive the Configuration). If you are not creating a configuration archive, you can share a EdgeSWG appliance's hashed or encrypted passwords with another appliance. Perform the steps in the Resolution section.

Note: Before proceeding, make sure that you have already configured all the passwords that you want to share. When you enter the passwords in cleartext, the appliance hashes or encrypts them when saving them in the configuration.

Caution: Sharing encrypted passwords requires you to overwrite the destination appliance’s current configuration-passwords-key. This makes any existing encrypted passwords on the destination appliance unreadable because they are not encrypted with the imported key.  After you import the key, you must ensure that passwords are encrypted correctly on the destination appliance:

  • For accounts or services that both the source and destination appliances share, replace all encrypted passwords on the destination appliance with equivalents from the source appliance. For example, if source and destination appliances share the same SNMPv3 users, replace their encrypted passphrases using the CLI command:
    # (config snmp user username) authentication encrypted-passphrase passphrase
  • For accounts or services on the destination appliance that do not exist on the source appliance, re-enter the existing passwords.

Resolution

On the source appliance:

  1. (Required for encrypted passwords only) Save the appliance's configuration-passwords-key keyring to file.
  2. Copy the encrypted passwords and hashed passwords from the #show config output.

On the destination appliance:

  1. (Required for encrypted passwords only) Import the configuration-passwords-key keyring.
  2. Use the appropriate CLI commands to set the hashed passwords and encrypted passwords.
  3. Re-enter cleartext passwords for the imported key to encrypt.

 

Step 1: Source appliance - Save the configuration-passwords-key keyring

This step is required only if you are sharing encrypted passwords. 

  1. Log in to the appliance's command line interface (CLI).
  2. Enter privileged mode (enable).
  3. Enter the following command to display the private key encrypted with a password of your choosing. The CLI prompts you to enter and confirm the password:
    #show ssl keypair aes256-cbc configuration-passwords-key
      Encryption password: ***********
      Confirm encryption password: ***********
    -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,2C152FB9BCE5A3509D7975F3B729FC41

    U7Nez8/lJpZ/VT0ayWN7zbROJnr0Vwg3gNOTfZwQrtMDXdE…

    -----END RSA PRIVATE KEY-----
  4. Keep the encryption password in a safe place; you will need it to install the private key on the destination appliance.

Step 2a: Source appliance - Copy the hashed passwords

  1. In the CLI, enter the following command: 
    #(config)show config
    Note: This command is also available in privileged mode.

  2. In the show config output, look for the hashed passwords.

    The following example shows a hashed local user password:
     #(config)show config
    !- Version: SGOS 7.3.8.2 SWG Edition
    !- Serial number: 100...
!- Local time: 2022-06-07 19:03:02-00:00UTC 
... 
security local-user-list edit "my-list" ;mode
    user create "my-user"
    user edit "my-user" ;mode
    hashed-password "$PBKDF2$HMAC-SHA256:100000:L2oZuEDeN...vqzZlTte2gu/+ThN8="
    exit    
    ...  
    !- END authentication 
  3. Save the passwords in a safe place. To ensure that you can identify the passwords later, copy the full CLI command, such as “user edit "my-user" …hashed-password "$PBKDF2$HMAC-SHA256:100000:L2oZuEDeN...vqzZlTte2gu/+ThN8="".

Step 2b: Source appliance - Copy the encrypted passwords

  1. Identify the accounts or services that are shared between the source and destination appliances. You will copy these passwords from the #show config output in step 3 of this procedure and specify them on the destination appliance in Step 4b
  2. Identify the accounts or services on the destination appliance that do not exist on the source appliance. You will re-enter these existing passwords on the destination appliance in Step 4c.
  3. In the CLI, enter the following command:
    #(config)show config

    Note: This command is also available in privileged mode.

  4. In the show config output, look for the encrypted passwords.

    The following example shows an encrypted RADIUS secret: 
    #(config)show config
    !- Version: SGOS 7.3.8.2 SWG Edition
    !- Serial number: 100...
!- Local time: 2022-06-07 19:03:02-00:00UTC 
...
     !- BEGIN authentication
    security radius create-realm-encrypted my-realm "DeZzf2x9Z7J...jQPuuHHQ==" my-hostname port 
    ...  
    !- END authentication 
  5. Save the passwords in a safe place. To ensure that you can identify the passwords later, copy the full CLI command, such as "security radius create-realm-encrypted my-realm ""DeZzf2x9Z7J...jQPuuHHQ==" my-hostname port".

Step 3: Destination appliance - Install the configuration-passwords-key keyring from the source appliance

This step is required only if you are sharing encrypted passwords. 

  1. Log in to the destination appliance's CLI.
  2. Enter privileged mode (enable).
  3. Enter ssl mode (ssl).
  4. Enter the following command to import the configuration-passwords-key: 
    #(config ssl)inline keyring show configuration-passwords-key eof
    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,2C152FB9BCE5A3509D7975F3B729FC41

    U7Nez8/lJpZ/VT0ayWN7zbROJnr0Vwg3gNOTfZwQrtMDXdE…

    -----END RSA PRIVATE KEY-----eof
       Decryption password: ***********
       ok

    After you type the end-of-file characters, the CLI prompts you to enter the password you used to encrypt the key on the source appliance. Enter the password to import the key.

Step 4a: Destination appliance - Specify the hashed passwords from the source appliance

In the CLI, enter the appropriate commands to configure the passwords you copied from the source appliance. Refer to the Command Line Interface Reference documentation.

For example, enter the following commands to specify the hashed local user password:

# (config)security
# (config)security local-user-list edit other-list
# (config local-user-list other-list)user edit my-user
# (config local-user-list other-list my-user)hashed-password $PBKDF2$HMAC-SHA256:100000:L2oZuEDeN...vqzZlTte2gu/+ThN8=
  ok

Step 4b: Destination appliance - Specify the encrypted passwords from the source appliance

Replace all the encrypted passwords on the destination appliance with equivalents from the source appliance. In the CLI, enter the appropriate commands to configure the passwords you copied from the source appliance. Refer to the Command Line Interface Reference documentation.

For example, enter the following commands to specify the encrypted RADIUS secret:

# (config)security
# (config)security radius edit-realm other-realm
# (config radius other-realm)primary-server encrypted-secret DeZzf2x9Z7J...jQPuuHHQ==
  ok

Step 4c: Destination appliance - Re-enter cleartext passwords for the imported key to encrypt

Re-enter the existing passwords for accounts or services that you identified as not being on the source appliance in Step 2b. Refer to the Command Line Interface Reference documentation for the appropriate commands.

For example, enter the following commands to specify the password for the primary HTTP log host.

# (config) access-log
# (config access-log)
# (config access-log)edit log_name
# (config log log_name)http-client primary password password

When you enter passwords in cleartext, the appliance encrypts the passwords using the imported configuration-passwords-key.

Additional Information

  • Externally-generated encrypted or hashed passwords are not supported, and the algorithms that the EdgeSWG appliance uses for hashing and encryption are subject to change. Only the EdgeSWG appliance should generate hashed and encrypted passwords. 
  • For more information on hashed passwords and encrypted passwords, refer to About Password Security in the EdgeSWG administration documentation.
  • Passwords are included in configuration archives. To back up and restore configuration archives, see KB165985 and Backing Up the Configuration in the EdgeSWG administration documentation.
Powered by Wolken Software