Manual Chapter : Overview: Secure Vault administration

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Secure Vault administration

The BIG-IP system's
Secure Vault
feature provides an additional layer of security for BIG-IP and BIG-IQ systems. This additional security allows you to encrypt passwords or passphrases for individual BIG-IP configuration objects.
The Secure Vault feature is in the form of a unit key and a master key:
Unit key
Used to encrypt and decrypt the master key. Because a unit key protects the master key, unit keys must be safely stored, usually in electrically erasable programmable read-only memory (EEPROM), on hardware platforms that include EEPROM.
Master key
Used to encrypt and decrypt passwords and passphrases on individual configuration objects on the BIG-IP system, such as pools, health monitors, and SSL keys. The master key is stored in a file on the BIG-IP system.
On a BIG-IP system, encrypted passwords and passphrases for BIG-IP configuration objects appear in the system configuration files and begin with a $M$ prefix. For example:
passphrase $M$g2$UEOTKSvSN/7kasHTLIBsEw== password $M$Sx$z5wBus7I+VhvLCndYNz+Mg==
BIG-IP configuration file names include the
.conf
file extension, and the system stores them in its
/config
directory. The BIG-IP system secures access to configuration files through user authentication.
For the format of encrypted passwords and passphrases on a BIG-IQ system, see the section titled
BIG-IQ considerations
in this document.