Configuring the System Master Key

Procedure

1. Run the set master-key command in the user view to set the system master key.
   

   To delete historical system master key, run the clear master-key command.

   Note the following during the interactive process:

   • After the system master key is input, users need to input Y on the terminal interface to proceed to the next step. If a user inputs N, the system stops the current operation and exits.
   • A user needs to input the new master key twice. The system proceeds to the next operation only when the two input master keys are identical.

   If an error occurs during master key modification, the system prompts a message indicating a master key modification failure and instructs the user to retry it. If the failure persists, contact Huawei technical support personnel.

   After the master key is modified, devices cannot share the configuration files. After a configuration file is copied from another device to the local device for next startup, if the master key on the source device is not the default master key and does not exist on the local device, the configuration fails. To resolve this problem, perform one of the following operations:

   • Change the master key on the device to be configured to be the same as that on the device that provides the configuration file.
   • Change the master key on the device that provides the configuration file to be the same as that on the device to be configured. After that, save and export the configuration file, upload it to the device to be configured, and specify the configuration file for next startup.
   • Specify the default master key as the master key on the device that provides the configuration file. After that, save and export the configuration file, upload it to the device to be configured, and specify the configuration file for next startup.
   After the master key is changed and a configuration file is copied from another device to the local device for next startup, if the master key on the source device is not the default master key and does not exist on the local device, the local device cannot decrypt the copied file due to master key mismatch. To resolve this problem, perform one of the following operations:

   • Change the master key on the local device to be the same as that on the device that provides the encrypted file.
   • Change the master key on the device that provides the encrypted file to be the same as that on the local device. After that, export the encrypted file and upload it to the local device.
   • Specify the default master key as the master key on the device that provides the encrypted file. After that, export the encrypted file and upload it to the local device for decryption.

2. (Option) Run the set master-key auto-update interval interval-time command in the system view to enable the automatic update function of the system master key and set the interval for automatic update.

   The system master key can be the default master key or a manually configured master key.

   If the default master key is used for a long time, it may be stolen or cracked. The master key that is manually configured needs to be periodically changed and maintained.

   To reduce manual maintenance workload, run the set master-key auto-update interval interval-time command to enable automatic update of the master key. The system then periodically generates a new master key that is a string of 32 characters.

   To disable the automatic update function, run the undo set master-key auto-update [ interval interval-time ] command. After the automatic update function is disabled, the latest master key of the system is maintained and will not be automatically updated.