User's Manual
Security: Secure Sensitive Data Management
Configuration Files
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  451
21
Sensitive Data Zero-Touch Auto Configuration 
SSD Zero-touch Auto Configuration is the auto configuration of target devices with 
encrypted sensitive data, without the need to manually pre-configure the target 
devices with the passphrase whose key is used to encrypted the sensitive data. 
The device currently supports Auto Configuration, which is enabled by default. 
When Auto Configuration is enabled on a device and the device receives DHCP 
options that specify a file server and a boot file, the device downloads the boot 
file (remote configuration file) into the Startup Configuration file from a file server, 
and then reboots.
NOTE The file server may be specified by the bootp siaddr and sname 
fields, as well as DHCP option 150 and statically configured on the device. 
The user can safely auto configure target devices with encrypted sensitive data, 
by first creating the configuration file that is to be used in the auto configuration 
from a device that contains the configurations. The device must be configured and 
instructed to: 
• Encrypt the sensitive data in the file 
• Enforce the integrity of the file content 
• Include the secure, authentication configuration commands and SSD rules 
that properly control and secure the access to devices and the sensitive 
data 
If the configuration file was generated with a user passphrase and SSD file 
passphrase control is Restricted, the resulting configuration file can be auto-
configured to the desired target devices. However, for auto configuration to 
succeed with a user-defined passphrase, the target devices must be manually 
pre-configured with the same passphrase as the device that generates the files, 
which is not zero touch. 
If the device creating the configuration file is in Unrestricted passphrase control 
mode, the device includes the passphrase in the file. As a result, the user can auto 
configure the target devices, including devices that are out-of-the-box or in factory 
default, with the configuration file without manually pre-configuring the target 
devices with the passphrase. This is zero touch because the target devices learn 
the passphrase directly from the configuration file. 
NOTE Devices that are out-of-the-box or in factory default states use the default 
anonymous user to access the SCP server. 










