Manual Chapter : What is Secure Vault?

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 16.0.0, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0

BIG-IP DNS

  • 16.0.0, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

What is Secure Vault?

Overview: Secure Vault administration

The BIG-IP system's
Secure Vault
feature provides an additional layer of security for BIG-IP and BIG-IQ systems. This additional security allows you to encrypt passwords or passphrases for individual BIG-IP configuration objects.
The Secure Vault feature is in the form of a unit key and a master key:
Unit key
Used to encrypt and decrypt the master key. Because a unit key protects the master key, unit keys must be safely stored, usually in electrically erasable programmable read-only memory (EEPROM), on hardware platforms that include EEPROM.
Master key
Used to encrypt and decrypt passwords and passphrases on individual configuration objects on the BIG-IP system, such as pools, health monitors, and SSL keys. The master key is stored in a file on the BIG-IP system.
On a BIG-IP system, encrypted passwords and passphrases for BIG-IP configuration objects appear in the system configuration files and begin with a $M$ prefix. For example:
passphrase $M$g2$UEOTKSvSN/7kasHTLIBsEw== password $M$Sx$z5wBus7I+VhvLCndYNz+Mg==
BIG-IP configuration file names include the
.conf
file extension, and the system stores them in its
/config
directory. The BIG-IP system secures access to configuration files through user authentication.

Comparison of unit and master keys

The Secure Vault feature provides security through the use of two cryptographic keys: the unit key and the master key.
The BIG-IP system stores the
master key
in its file system and the mcpd process uses it to encrypt and decrypt passwords and passphrases when loading BIG-IP system configuration files. The following table shows the important properties for each key type.
Unit key
Master key
Encrypts and decrypts the master key
Encrypts and decrypts passwords and passphrases for BIG-IP configuration objects.
Is unique to each BIG-IP or BIG-IQ system
Is shared between all high-availability (HA) BIG-IP systems configured as members of a Device Service Clustering (DSC) device group
Is a symmetric AES256 key
Is a symmetric AES128 key

Key storage locations

The master key is encrypted and then stored in the master file in the directory
/config/bigip/kstore
. The following table shows unit and master key storage locations depending on the platform type.
Platform type
Unit key
Master key
Bare-metal system
Stored in electrically erasable programmable read-only memory (EEPROM). EEPROM is hardware for storing non-volatile data and is resistant to hackers.
Stored in the master file in the directory
/config/bigip/kstore
.
vCMP host
Stored on the vCMP host in EEPROM. The purpose of the host's unit key is to encrypt and decrypt the host's master key.
Stored on the vCMP host in the master file in the directory
/config/bigip/kstore
.
vCMP guest
Stored within the mcpdb of the vCMP host.
Stored on the vCMP guest in the master file in the directory
/config/bigip/kstore
.
BIG-IP Virtual Edition (VE) system or any system without EEPROM
Stored in the hidden file named
.unitkey
in the directory
/config/bigip/kstore
.
Stored in the master file in the directory
/config/bigip/kstore
.

About MCP decryption tasks

When the BIG-IP system starts, the Master Control Program (MCP) daemon
mcpd
process reads and validates configuration files prior to loading them into running memory and performs the following decryption tasks:
  • Retrieves the unit key from its storage location.
  • Decrypts the master key using the unit key.
  • Decrypts all passwords and passphrases in system configuration files.
  • Passes decrypted passwords and passphrases to system processes such as the Traffic Management Microkernel (TMM) or the bigd monitor process.