the passphrase is encrypted using the device master key. As long the master key of your device group hasn't changed or (at least) you've created a backup of the master-key, you will be able to restore entire UCS archives or even partial configurations containing secure strings.
With this knowledge in mind, you can also fairly easily decrypt a specific secure-string back to plaintext without even knowing the cryptography behind. Just
the related configuration, grep the containing
secure-string and create for an example a new HTTP health-monitor containing the exported secure-string as password (via
). Attach the monitor to a node of your choice and then use tcpdump/wireshark to sniff the password (aka. B64 credentials) on the wire...
tmsh load sys config merge from-terminal