Forum Discussion

amolari_4313's avatar
amolari_4313
Icon for Nimbostratus rankNimbostratus
Dec 06, 2013

encryption of sensitive data in configuration

when configuring for example a AAA radius shared secret in APM, the value is masqueraded in the GUI and encrypted (?) in the configuration file. with iApp it's not. Also, in iRules, I haven't found a way to protect sensitive data. Can someone tell me how such shared secret is encrypted/encoded in the configuration data, if the iApp "limitation" will be fixed and if there's a way to protect sensitive data in irules? Thank you

 

3 Replies

  • Re the AES:: commands - I think you should use the CRYPTO:: commands over AES if possible (you are on v11.1 or more). The AES:: implementation I have been told is a little....'flaky'.

     

  • I do know one way to hide sensitive data in an iRule - hide it in the session table, so it lives only in memory and doesn't appear in the config files.

    To do this you will need to create a "Control Plane" VIP to update the data. This VIP would be internal-facing, source IP restricted and maybe client cert protected (you wouldn't want just anybody accessing it). It wouldn't have a pool associated - just an iRule

    when HTTP_REQUEST {
        set key [URI::query [HTTP::uri] "key"]
        set value [URI::query [HTTP::uri] "value"] 
    
         Set the key value in session table
        table set $key $value indefinite
    
        log local0. "Key $key updated by [IP::remote_addr]"
    }
    

    Then in other iRules that need to use that data, you would reference [table lookup "blah"], where 'blah' was the value of the 'key' query parameter in the control plane iRule.