Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Mar 01, 2016
Solved

Private key password location?

Hello,   I am currently looking at the option to store our private keys encrypted on the bigip. But for this to be beneficial of any kind, I would need to know how and where the bigip stores the p...
devops
LTM
security
TMSH
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Mar 01, 2016

It's stored in LTM config.

Check the BigIP conf backup file 

/config/bigip.conf
. Search for the relevant private key or ssl profile object. The password/passphrase itself should be visible as MD5-salt hash.

If you initially encrypted your private keys on BigIP appliance, it's recommended to eliminate bash history since the commands you executed (incl. the password itself) will be in plain-text. You can delete bash history by issuing command 

rm ~/.bash_history
.

  • NiHo_202842's avatar
    NiHo_202842
    Icon for Cirrostratus rankCirrostratus
    Mar 01, 2016
    Thank you for your answer @Hannes Rapp. Is the salt derived from the master key, generated on the device at boot?
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Mar 01, 2016
    I think it's a static hash and only generated once, just as you save the related config object. I could be wrong here, but my test hash stayed the same after reboot. This format does not seem to be vulnerable to public MD5 crackers as simple dictionary words like "hi" and "hello" returned no result.

Recent Discussions