Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Mar 01, 2016

Private key password location?

Hello,   I am currently looking at the option to store our private keys encrypted on the bigip. But for this to be beneficial of any kind, I would need to know how and where the bigip stores the p...
devops
LTM
security
TMSH
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Mar 01, 2016

    It's stored in LTM config.

    Check the BigIP conf backup file 

    /config/bigip.conf
    . Search for the relevant private key or ssl profile object. The password/passphrase itself should be visible as MD5-salt hash.

    If you initially encrypted your private keys on BigIP appliance, it's recommended to eliminate bash history since the commands you executed (incl. the password itself) will be in plain-text. You can delete bash history by issuing command 

    rm ~/.bash_history
    .

Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous

It's stored in LTM config.

Check the BigIP conf backup file 

/config/bigip.conf
. Search for the relevant private key or ssl profile object. The password/passphrase itself should be visible as MD5-salt hash.

If you initially encrypted your private keys on BigIP appliance, it's recommended to eliminate bash history since the commands you executed (incl. the password itself) will be in plain-text. You can delete bash history by issuing command 

rm ~/.bash_history
.

Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Mar 02, 2016
I think it's a static hash and only generated once, just as you save the related config object. I could be wrong here, but my test hash stayed the same after reboot. This format does not seem to be vulnerable to public MD5 crackers as simple dictionary words like "hi" and "hello" returned no result.