The hierarchical key management mechanism consists of three layers of key: the root key, key encryption key, and working key. The lower-layer key provides encryption protection for the upper-layer key. The root key is located at the bottom of the key management infrastructure to protect confidentiality of upper-layer keys (such as key encryption key). Therefore, a root key is critical to data security. A switch's root key is often stored in the system. If a malicious user obtains the root key, any encrypted data will become vulnerable. To address this issue and improve data security, you can replace the default root key with another one.
The root key can only be configured when the switch has no service configuration. If service configuration has been performed on the switch, an error message will be displayed when you configure the root key.
If you configure a password (not the administrator password) and key after configuring the root key, the password and key configuration will not be restored after the switch software version is changed to V200R009 or an earlier version.
After the root key is configured, the configuration file of the switch cannot be exported and used on other devices.