Forum Discussion
Nimbostratusencryption of sensitive data in configuration
when configuring for example a AAA radius shared secret in APM, the value is masqueraded in the GUI and encrypted (?) in the configuration file. with iApp it's not. Also, in iRules, I haven't found a way to protect sensitive data. Can someone tell me how such shared secret is encrypted/encoded in the configuration data, if the iApp "limitation" will be fixed and if there's a way to protect sensitive data in irules? Thank you
3 Replies
What_Lies_Bene1Cirrostratus
No idea on your first two questions I'm afraid but regarding iRules you can encrypt data using the AES:: commands amongst others. Details here: https://devcentral.f5.com/wiki/iRules.AES.ashx
IheartF5_45022Nacreous
Re the AES:: commands - I think you should use the CRYPTO:: commands over AES if possible (you are on v11.1 or more). The AES:: implementation I have been told is a little....'flaky'.
- IheartF5_45022
I do know one way to hide sensitive data in an iRule - hide it in the session table, so it lives only in memory and doesn't appear in the config files.
To do this you will need to create a "Control Plane" VIP to update the data. This VIP would be internal-facing, source IP restricted and maybe client cert protected (you wouldn't want just anybody accessing it). It wouldn't have a pool associated - just an iRule
when HTTP_REQUEST { set key [URI::query [HTTP::uri] "key"] set value [URI::query [HTTP::uri] "value"] Set the key value in session table table set $key $value indefinite log local0. "Key $key updated by [IP::remote_addr]" }Then in other iRules that need to use that data, you would reference [table lookup "blah"], where 'blah' was the value of the 'key' query parameter in the control plane iRule.
