10-31-2016 02:22 PM
Hello Friends -
I am trying to figure out a good place to store our device passwords, such as md5 and enable secret, etc. that would be used in a script that changes these on the devices at a regular interval. The first thought was to store in a list, but as it turns out anyone with Default access can read lists. We don't want to hard-code in the script, since these are to change every 'x' days.
I thought about storing in the CLI Vendor Default credentials, but can't find a method of decrypting the PasswordSecure data that is returned. Is there a way to decrypt?
Basically need a place that only folks with read-only sensitive authorization (or higher) can get to and see and update. I know that best practice would be to only prompt in the script for the passwords, but in reality that only breeds a million desktop sticky notes.
Thought and ideas are welcome!
Solved! Go to Solution.
11-10-2016 09:08 AM
Not hard coding in a script per-se, but you could create a library that defines the various credentials as variables, then include that single library and use those variable in your scripts. This requires using perl scripts.
11-10-2016 10:59 AM
I don't know if that will suit the auditor yet, but it meets my criteria of anyone with read-only sensitive or higher would be able to access.
11-16-2016 06:47 AM
Lon, this is an interesting requirement. In theory we could add a secrets API that allows you to store arbitrary secrets in the same encrypted way we store other credentials. May be a good RFE.