Cisco ISR 4000 series Configuration Manual page 28

Cisco ISR 4000 Family Routers Administrator Guidance
TOE-common-criteria(config)#username name secret {0 password | 4 secret-string | 5 SHA256
secret-string}
To store the enable password in non-plaintext form, use the 'enable secret' command when setting
the enable password. The enable password can be entered as plaintext, or as an MD5 hash value.
Example:
TOE-common-criteria(config)#enable secret [level level] {password | 0 | 4 | 5 [encryption-type]
encrypted-password }
level - (Optional) Specifies the level for which the password applies. You can specify up to sixteen
privilege levels, using the numerals 0 through 15.
password – password that will be entered
0 - Specifies an unencrypted clear-text password. The password is converted to a SHA256 secret
and gets stored in the router.
4 - Specifies an SHA256 encrypted secret string. The SHA256 secret string is copied from the
router configuration.
5 - Specifies a message digest alogrithm5 (MD5) encrypted secret.
encryption-type - (Optional) Cisco-proprietary algorithm used to encrypt the password. The
encryption types available for this command are 4 and 5. If you specify a value for encryption-
type argument, the next argument you supply must be an encrypted password (a password
encrypted by a Cisco router).
encrypted-password - Encrypted password that is copied from another router configuration.
Use of enable passwords are not necessary, so all administrative passwords can be stored as SHA-
256 if enable passwords are not used.
Note: Cisco no longer recommends that the 'enable password' command be used to configure a
password for privileged EXEC mode. The password that is entered with the 'enable password'
command is stored as plain text in the configuration file of the networking device. If passwords
were created with the 'enable password' command, it can be hashed by using the 'service
password-encryption' command. Instead of using the 'enable password' command, Cisco
recommends using the 'enable secret' command because it stores a SHA-256 hash value of the
password.
To have IKE preshared keys stored in encrypted form, use the password encryption aes command
to enable the functionality and the key config-key password-encrypt command to set the master
password to be used to encrypt the preshared keys. The preshared keys will be stored encrypted
with symmetric cipher Advanced Encryption Standard [AES].
TOE-common-criteria (config)# password encryption aes
TOE-common-criteria (config)# key config-key password-encryption [text]
Note: Details for the password encryption aes command can be found in the: [8] Under
Reference Guides  Command References  Security and VPN  See manual Cisco IOS
Security Command Reference: Commands M to R.
Page 28 of 66