Provisioning Using Configuration Files
134
VSP736 Administrator and Provisioning Manual
Securing configuration files with AES encryption
You can encrypt your configuration files to prevent unauthorized users modifying the
configuration files. The VSP736 firmware decrypts files using the AES 256 algorithm. After
encrypting a file and placing it on your provisioning server, you can enable the VSP736 to
decrypt the file after fetching it from the server.
The procedures in this section use OpenSSL for Windows for file encryption, as shown in
Figure 2.
To decrypt a configuration file, you will need a 16-character AES key that you specified
when you encrypted the file. The key (or passphrase) is limited to 16 characters in length
and supports special characters
~ ^ ` % ! & - _ + = | . @ * : ; , ? ( ) [ ] { } < > / \ #
as well as
spaces.
To encrypt a configuration file:
1.
(Optional) Place your configuration file in the same folder as the openssl executable
file. If the configuration file is not in the same folder as the openssl executable file, you
can enter a relative pathname for the [infile] in the next step.
2.
Double-click the
openssl.exe
file.
3.
On the openssl command line, type:
enc -aes-256-cbc -pass pass:[passphrase123456] -in [infile] -out [outfile]
-nosalt -p
Elements in brackets are examples—do not enter the brackets. Enter a 16-character
passphrase and the unencrypted configuration file filename (the "infile") and a name for the
encrypted file ("outfile") that will result.
Figure 2. OpenSSL command line
The encryption of configuration files is supported only for the auto provisioning
process. Encrypt files only if you intend to store them on a provisioning server. Do
not encrypt files that you intend to manually import to the VSP736. You cannot
enable decryption for manually imported configuration files.