Manual Chapter :
What is Secure Vault?
Applies To:
Show Versions
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
What is Secure Vault?
Overview: Secure Vault administration
The BIG-IP system's
Secure
Vault
feature provides an additional layer of security for BIG-IP
and BIG-IQ systems. This additional security allows you to encrypt passwords or
passphrases for individual BIG-IP configuration objects.The Secure Vault feature is in the form of a unit key and a
master key:
- Unit key
- Used to encrypt and decrypt the master key. Because a unit key protects the master key, unit keys must be safely stored, usually in electrically erasable programmable read-only memory (EEPROM), on hardware platforms that include EEPROM.
- Master key
- Used to encrypt and decrypt passwords and passphrases on individual configuration objects on the BIG-IP system, such as pools, health monitors, and SSL keys. The master key is stored in a file on the BIG-IP system.
On a BIG-IP system, encrypted passwords and passphrases for
BIG-IP configuration objects appear in the system configuration files and begin
with a $M$ prefix. For example:
passphrase $M$g2$UEOTKSvSN/7kasHTLIBsEw== password $M$Sx$z5wBus7I+VhvLCndYNz+Mg==
BIG-IP configuration file names include the
.conf
file extension, and
the system stores them in its /config
directory. The BIG-IP system secures access to
configuration files through user authentication.Comparison of unit and master keys
The Secure Vault feature provides security through the use of
two cryptographic keys: the unit key and the master key.
The BIG-IP system stores the
master key
in its file system and the mcpd process uses it
to encrypt and decrypt passwords and passphrases when loading BIG-IP system
configuration files. The following table shows the important properties for
each key type.Unit key |
Master key |
|---|---|
Encrypts and decrypts
the master key |
Encrypts and decrypts
passwords and passphrases for BIG-IP configuration objects. |
Is unique to each
BIG-IP or BIG-IQ system |
Is shared between all
high-availability (HA) BIG-IP systems configured
as members of a Device Service Clustering (DSC)
device group |
Is a symmetric AES256
key |
Is a symmetric AES128
key |
Key storage locations
The master key is encrypted and then stored in the master file in the
directory
/config/bigip/kstore
. The following table shows unit and master key storage
locations depending on the platform type.Platform type |
Unit key |
Master key |
|---|---|---|
Bare-metal system |
Stored in electrically erasable programmable
read-only memory (EEPROM). EEPROM is hardware for storing non-volatile
data and is resistant to hackers. |
Stored in the master file in the directory
/config/bigip/kstore . |
vCMP host |
Stored on the vCMP host in EEPROM. The purpose
of the host's unit key is to encrypt and decrypt the host's master
key. |
Stored on the vCMP host in the master file in
the directory /config/bigip/kstore . |
vCMP guest |
Stored within the mcpdb of the vCMP
host. |
Stored on the vCMP guest in the master file in
the directory /config/bigip/kstore . |
BIG-IP Virtual Edition (VE) system or any
system without EEPROM |
Stored in the hidden file named .unitkey in the
directory /config/bigip/kstore . |
Stored in the master file in the directory
/config/bigip/kstore . |
About MCP decryption tasks
When the BIG-IP system starts, the Master Control Program (MCP) daemon
mcpd
process reads and validates
configuration files prior to loading them into running memory and performs the following
decryption tasks:- Retrieves the unit key from its storage location.
- Decrypts the master key using the unit key.
- Decrypts all passwords and passphrases in system configuration files.
- Passes decrypted passwords and passphrases to system processes such as the Traffic Management Microkernel (TMM) or the bigd monitor process.
