SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  encrypting the srx configuration file

    Posted 06-16-2016 02:14

    Hi all,

     

     

    there's an option to encrypt your config file on the srx:

     

    http://www.juniper.net/documentation/en_US/junos12.1x44/topics/task/configuration/security-configuration-file-encrypting.html

     

    It works nice, but if you are archiving your configs on a management-server, then how would you be able to read/decrypt your config files in case you need to?

    This seems like a legit question, as sometimes one would need to review the deployed config whilst the SRX in question is crashed or unreachable for some other reason.

     

    Perhaps its possible with Junos Space, but while we might be able to use that in the future, I havent been able to find any documentation on that so far either.

     

    I tried some AES decrypting tools, but no luck sofar. (I have the encryption-key ofcourse, I entered it in the EEPROM myself...)

     

    Anyone got any experience with this?

     

     

    kind regards,

     

     

     



  • 2.  RE: encrypting the srx configuration file

     
    Posted 06-22-2016 02:14

    But do you see the config files as encrypted on your log server? I haven't tested the config personally, but AFAIK this encryption is for config files saved locally.



  • 3.  RE: encrypting the srx configuration file

    Posted 06-22-2016 03:56

    Hi Suraj,

     

     

    Yes, I can (wel actually, can't 🙂 see them as encrypted on the log/archival server.

     

    I thought of that as well, but it doesn't seem to make sense if it's only  possible to decrypt the config locally on the SRX.

    I mean, that would kind of defy the idea of being able to do proper backups of your configs (or at least being able to use your backups in case of emergency)

     

    regards,

     

    Radboud



  • 4.  RE: encrypting the srx configuration file

     
    Posted 06-23-2016 01:35

    Thanks, I also verified its an encrypted file on log server. Checking the possible ways of decrypting it...



  • 5.  RE: encrypting the srx configuration file
    Best Answer

     
    Posted 06-24-2016 07:22

    Hi Radboud,

     

    We can’t decrypt the config file outside of a SRX device. You can only decrypt it in the original SRX, or another SRX that has the same key. There’s also another option to set the key that is unique to the chassis serial number. In that case, only the original SRX can decrypt the file.  http://www.juniper.net/techpubs/software/junos-security/junos-security10.4/junos-security-admin-guide/index.html?config-files-encrypt-decrypt-section.html

     

    We may contact the Sales/Accounts team get to this as a feature on future releases.



  • 6.  RE: encrypting the srx configuration file

    Posted 06-26-2016 23:35

    Hello Suraj,

     

    thanks for the update!

    I was afraid this wouldn't be possible indeed but it seemed a bit silly to me.

    I would at least expect Junos Space to be able to do this.

     

    Too bad, because we often have to (temporarily) deploy SRX firewalls on locations that may not always be under our physical administration, these are perfect feasible candidates to encrypt the config as a security-measure.

     

    I was aware of the "unigue" parameter, this is actually hat I was planning to use, so that no one could "simply" copy the config in another SRX of their own and still be able to read the config.

     

    It would be great if this could be a feature on Space, or that Juniper would provide us with a separate decrypt tool .

    We would most certainly be using this option then, but for now since we can't use the backup files this way, it's not of much use to us.

     

    Thanks again though,

     

    Radboud Veld