Hi Derek, RSA keys are stored in Private NVRAM space not accessible from command line. You cannot display private key using command line but once your router is stolen there is a chance to get private key from nvram using some programmable devices (like EEPROM readers)
To further secure your private key you must encrypt it in storage. Once you use 'crypto key encrypt' command, the private key will be encrypted (using AES I believe) and stored on nvram. This key must be Unlocked to be used by any process on the router (including ISAKMP). When you reload the router, the key will be Locked and you must unlock it to be available for crypto process on the router. Export command is just for exporting the key (the original key is still there) and importing it on other device or backing it up. Regards, Piotr 2011/9/23 Derek <[email protected]> > My understanding is when you create pub/priv keys such as > crypto key generate rsa mod 1024 general-keys exportable label myCA > > 1)The keys are put into NVRAM but they're hidden...yes? > > 2) If i want to protect my pub/priv keys it seems I can do either > crypto key encrypt [write] rsa [name key-name] passphrase passphrase > But what encryption method am I using to protect the keys???? > > 3) The way i can specify key protection is using the export command > crypto key export rsa key-label pem {terminal | url url} {3des | des} > passphrase > In this method we can specify des or 3des for key protection AND a passwrod > > Also if I specify the URL in this method as nvram the keys shows up with > dir nvram. > > What is the difference between 2) and 3) as far as key protection and why > can I not see the encryption keys in nvram when I create them initially? > > Please advise > THANKS! > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
