Forum Discussion

IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Sep 03, 2010

AES::encrypt - can decrypt function be carried out elsewhere?

If the F5 has used AES ecryption to encrypt a string via AES::encrypt, can the key be exported and used on another downstream device to decrypt? This downstream device could be

 

 

a) another F5

 

b) not an F5

 

 

I'm putting those 2 options there in case the answer is different for each.

 

 

The last devcentral posts I saw on this indicated that the encryption/decryption was intended to be carried out on the same device but that new information may be released soon. This was a year ago. Are there any updates?

 

 

Rgds

 

Jo

 

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Sep 03, 2010
    Another F5 device, yes certainly (You can prove that with an HA pair and a hard-coded or shared key. When an HA failover occurs, the backup device can now decrypt the content that the primary device encrypted)...

     

     

    A non-F5 device, SHOULD be possible, but I've never tried it...

     

     

    I suspect what you're trying to do though is to tunnel traffic across a network from one F5 to another? If so, why not simply use an SSL/TLS tunnel or connection?

     

     

    H
  • DeVon_Jarvis's avatar
    DeVon_Jarvis
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2010
    As Hamish said, this is possible, as long as you use a hardcoded key. Do not use [AES::key] command, as this generates a random key and the same key must be used to encrypt or decrypt. This is due to AES being a symmetric key encryption algorithm, meaning both sides need to use a shared key.

     

     

    DeVon

     

    • patonbike's avatar
      patonbike
      Icon for Cirrus rankCirrus
      Sep 17, 2020

      Does anyone know the syntax to decrypt data on say, a linux machine with openssl command? I am trying to do this as a proof of concept. Obviously we are using a pre shared key.

      What cipher is it?

      This does NOT work:

       

      openssl aes-256-ecb -d -K MY_AES_256_KEY_HERE base64 -in MY_F5_Base64_encoded_aes256_string_here.txt -debug