User Guide
27-3
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 27 FIPS Management
Encrypting Sensitive Data in FIPS Mode
Procedure
mail.example.com> fipsconfig
FIPS mode is currently disabled.
Choose the operation you want to perform:
- SETUP - Configure FIPS mode.
- FIPSCHECK - Check for FIPS mode compliance.
[]> setup
To finalize FIPS mode, the appliance will reboot immediately. No commit will be required.
Are you sure you want to enable FIPS mode and reboot now ? [N]> y
Do you want to enable encryption of sensitive data in configuration file when FIPS mode is
enabled? Changing the value will result in system reboot [N]> n
Enter the number of seconds to wait before forcibly closing connections.
[30]>
System rebooting. Please wait while the queue is being closed...
Closing CLI connection.
Rebooting the system...
Encrypting Sensitive Data in FIPS Mode
Use the fipsconfig command to encrypt sensitive data such as passwords and keys, in your appliance.
If you enable this option,
• The following critical security parameters in your appliance are encrypted and stored:
–
Certificate private keys
–
RADIUS passwords
–
LDAP bind passwords
–
Local users' password hashes
–
SNMP password
–
DK/DKIM signing keys
–
Outgoing SMTP authentication passwords
–
PostX encryption keys
–
PostX encryption proxy password
–
FTP Push log subscriptions' passwords
–
IPMI LAN password
–
Updater server URLs
Note All users, including the administrators, cannot view the sensitive information in the
configuration files.
• Swap space in your appliance is encrypted to prevent any unauthorized access or forensic attacks, if
the physical security of the appliance is compromised.