STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Juniper Router NDM Security Technical Implementation Guide

V-220142

CAT II (Medium)

The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.

Rule ID

SV-220142r961863_rule

STIG

Juniper Router NDM Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

By default, shared secrets in a Junos configuration only use an obfuscation algorithm ($9$ format), which is not very strong and can easily be decrypted. Strong encryption for configured secrets can be enabled by configuring a master password to be used as input to the password based key derivation function (PBKDF2) to generate an encryption key. The key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM).

Check Content

Verify that a master password has been configured as by entering the following command:
show configuration system master-password 

The output will appear as follows: 
password-configured;

Note: The master password is hidden from the configuration.

If a master password has not been configured, this is a finding.

Fix Text

Configure the master password to be used to generate encrypted keys for shared secrets as shown in the example below.

[edit]
set system master-password plain-text-password    
Master password: xxxxxxxxxx
Repeat master password: xxxxxxxxxx