set master-key

Function

The set master-key command sets the system master key.

The clear master-key command deletes historical system master key.

Format

set master-key

clear master-key

Parameters

None

Views

User view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
masterkey execute

Usage Guidelines

Usage Scenario

In an actual network environment, the network and devices are provided and maintained by network providers, and the data belongs to tenants. To provide secure data transmission and storage on the network, ensure that keys are under complete control of the specific tenant and cannot be obtained by network providers or other tenants. To be specific, tenants need to have their own key management schemes. Tenants can manually modify the system master key based on actual requirements to enhance data security and reliability.

Implementation Procedure

After a user runs this command, the system will provide the user interactive guidance to restore the default system master key, and information entered is not displayed on the terminal interface.

During the interactive process, the system prompts the user to input a password. Note the following:

  • The password that a user needs to input is the current user password but not the current system master key. If the current system master key is input, the operation of configuring the master key does not take effect.
  • If a user inputs incorrect user passwords for multiple times, the system locks the current user and forcibly logs the user out.

    After the master key is successfully changed, the system automatically saves the configuration.

Precautions

The master key value is a string of 20 to 32 characters and must be a combination of uppercase letters, lowercase letters, digits, and special characters.

Users logging in using passwords or AAA authentication mode can use this command to configure the system master key.

After clearing the historical system mater key with clear master-key, the configuration files generated under historical master keys will not be decrypted.

Note the following during the interactive process:

  • If the current system master key is not the default one, users need to input the current system master key for identity authentication before changing the master key.
  • After the system master key is input, users need to input Y on the terminal interface to proceed to the next step. If a user inputs N, the system stops the current operation and exits.
  • A user needs to input the new master key twice. The system proceeds to the next operation only when the two input master keys are identical.

    If an error occurs during master key modification, the system prompts a message indicating a master key modification failure and instructs the user to retry it. If the failure persists, contact Huawei technical support personnel.

    After the master key is modified, devices cannot share the configuration files. After a configuration file is copied from another device to the local device for next startup, if the master key on the source device is not the default master key and does not exist on the local device, the configuration fails. To resolve this problem, perform one of the following operations:
  • Change the master key on the device to be configured to be the same as that on the device that provides the configuration file.
  • Change the master key on the device that provides the configuration file to be the same as that on the device to be configured. After that, save and export the configuration file, upload it to the device to be configured, and specify the configuration file for next startup.
  • Specify the default master key as the master key on the device that provides the configuration file. After that, save and export the configuration file, upload it to the device to be configured, and specify the configuration file for next startup.

    After the master key is changed and a configuration file is copied from another device to the local device for next startup, if the master key on the source device is not the default master key and does not exist on the local device, the local device cannot decrypt the copied file due to master key mismatch. To resolve this problem, perform one of the following operations:
  • Change the master key on the local device to be the same as that on the device that provides the encrypted file.
  • Change the master key on the device that provides the encrypted file to be the same as that on the local device. After that, export the encrypted file and upload it to the local device.
  • Specify the default master key as the master key on the device that provides the encrypted file. After that, export the encrypted file and upload it to the local device for decryption.

Example

# Set the system master key.
<HUAWEI> set master-key
Warning: This operation will automatically save configurations. Are you sure you want to perform it? [Y/N]:y
Enter a new master key: 
Confirm the new master key: 
Warning: Keep the new master key well.
Enter the user password: 
Info: Operating, please wait for a moment.....
Info: Operation succeeded.
Parent Topic: Master Key Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >