Thanks Tyson. Hence the RSA keys can be exported to flash but not stored or generated on flash as it is not a secure space. Am I right?
With regards Kings On Tue, Sep 21, 2010 at 9:13 PM, Tyson Scott <[email protected]> wrote: > I will be honest I only half read this email. I was thinking of > certificates. You can store the RSA keys either on a secure USB Token or in > the NVRAM. Making sure to mark the keys as exportable will allow you to > export them to flash or an external server. But the initial creation should > be in the private-config or usbtoken. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Tuesday, September 21, 2010 10:09 AM > *To:* Tyson Scott > *Cc:* [email protected] > > *Subject:* Re: [OSL | CCIE_Security] RSA key storage location on IOS > router > > > > Hi Tyson > > How do make flash as the storage location? I see examples in Cisco sites > specifying flash as the storage location for the RSA keys. Why is it failing > for me? > Am I missing something. > > > With regards > Kings > > On Tue, Sep 21, 2010 at 6:54 PM, Tyson Scott <[email protected]> wrote: > > It all depends on device security both remote access and physical > security. NVRAM is not a smart place to store a lot of stuff. And if you > only store it in the NVRAM you have the risk of failed devices. I > personally don't think it is a wise practice to follow, but that is my > opinion. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, September 21, 2010 8:30 AM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] RSA key storage location on IOS > router > > > > If I configure a trustpoint with enrollment as "self" and enroll it, the > generated rsa keys shows storage location as "Storage Device: not specified" > > crypto pki trustpoint self > enrollment selfsigned > revocation-check crl > on flash: > > With regards > Kings > > On Tue, Sep 21, 2010 at 5:29 PM, Kingsley Charles < > [email protected]> wrote: > > Hi all > > > > When we create RSA keys without storage location, the location is nothing. > After I issue a "wr mem" the keys are stored in the private-config file that > > > is present in the nvram. The pro > > > > router3#sh crypto key mypubkey rsa > % Key pair was generated at: 11:40:19 UTC Sep 21 2010 > Key name: TP-self-signed-1104275031 > Storage Device: not specified > Usage: General Purpose Key > Key is not exportable. > Key Data: > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD890E > C102E654 76405AE5 D14372C8 227B9FEB 3E79A8D6 BB999B47 4B13041B AB07308C > CD7E1CF1 4F16FBD7 D8EC605D 0890336C E64F7596 11B77A5D 98BA77E1 B52745A9 > 53C61A64 05C46D16 A5BE68CD 2F61D639 9692EA69 CB112C00 22FEB988 CD67C073 > B25AB5DF F6895460 CDAE424E FC0898CD 0E07E12C CA16FBF0 AC086606 65020301 > 0001 > % Key pair was generated at: 11:40:21 UTC Sep 21 2010 > Key name: TP-self-signed-1104275031.server > Temporary key > Usage: Encryption Key > Key is not exportable. > Key Data: > 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CBE2FD 5440F579 > 073C3B9B 1A5DE0A4 0742B3C1 12451E15 E5592B0B FD7A8E97 F896A325 7CE09285 > 3A8F6BAE 3377B387 80C21573 A1417E8A 45B9C3E7 8767791C 0C261246 0CB465C3 > 2076A5B4 3BC1568F 53284B8B 7618EB64 AAA58072 AC590867 BF020301 0001 > router3#wr mem > Building configuration... > > [OK] > > > > router3#sh crypto key mypubkey rsa > % Key pair was generated at: 11:40:19 UTC Sep 21 2010 > Key name: TP-self-signed-1104275031 > Storage Device: private-config > Usage: General Purpose Key > Key is not exportable. > Key Data: > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AD890E > C102E654 76405AE5 D14372C8 227B9FEB 3E79A8D6 BB999B47 4B13041B AB07308C > CD7E1CF1 4F16FBD7 D8EC605D 0890336C E64F7596 11B77A5D 98BA77E1 B52745A9 > 53C61A64 05C46D16 A5BE68CD 2F61D639 9692EA69 CB112C00 22FEB988 CD67C073 > B25AB5DF F6895460 CDAE424E FC0898CD 0E07E12C CA16FBF0 AC086606 65020301 > 0001 > % Key pair was generated at: 11:40:21 UTC Sep 21 2010 > Key name: TP-self-signed-1104275031.server > Temporary key > Usage: Encryption Key > Key is not exportable. > Key Data: > 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CBE2FD 5440F579 > 073C3B9B 1A5DE0A4 0742B3C1 12451E15 E5592B0B FD7A8E97 F896A325 7CE09285 > 3A8F6BAE 3377B387 80C21573 A1417E8A 45B9C3E7 8767791C 0C261246 0CB465C3 > 2076A5B4 3BC1568F 53284B8B 7618EB64 AAA58072 AC590867 BF020301 0001 > > > > I am trying to save the keys to flash but it fails. > > > > router3(config)#crypto key generate rsa storage flash: > The name for the keys will be: router3.router3.com > Choose the size of the key modulus in the range of 360 to 2048 for your > General Purpose Keys. Choosing a key modulus greater than 512 may take > a few minutes. > > How many bits in the modulus [512]: > Device flash is not a valid storage location for for cryptographic keypairs > > crypto_lib_keypair_get failed to get router3.router3.com > > crypto_lib_keypair_get failed to get router3.router3.com > > > > > > It seems flash is not secure location for saving the private keys as it can > accessed by anyone. The "private-config" can't be accessed by the user, > please > > have a loog below: > > > > router3#more nvram:private-config > %Error opening nvram:private-config (Permission denied) > > > > > > May USB token is a valid device to store the RSA keys. > > > > > > Please let me know your thoughts? > > > > > > With regards > > Kings > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
