The first method of encryption that Cisco provides is through the command service password-encryption. This command obscures all clear-text passwords in the configuration using a Vigenere cipher. You enable this feature from global configuration mode.
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#^Z
Now a show run command no longer displays the password in humanly readable format.
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1
enable password 7 02030A5A46160E325F59060B01
!
username jdoe password 7 09464A061C480713181F13253920
username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37
!
line con 0
exec-timeout 5 0
password 7 110A160B041D0709493A2A373B243A3017
login local
transport input none
line aux 0
exec-timeout 5 0
password 7 0005061E494B0A151C36435C0D
login tacacs
transport input all
line vty 0 4
exec-timeout 5 0
password 7 095A5A1054151601181B0B382F
login
transport input ssh
The only password not affected by the service password-encryption command is the enable secret password. It always uses the MD5 encryption scheme.
While the service password-encryption command is beneficial and should be enabled on all routers, remember that the command uses an easily reversible cipher. Some commercial programs and freely available Perl scripts instantly decode any passwords encrypted with this cipher. This means that the service password-encryption command protects only against casual viewers—someone looking over your shoulder—and not against someone who obtains a copy of the configuration file and runs a decoder against the encrypted passwords. Finally, service password-encryption does not protect all secret values such as SNMP community strings and RADIUS or TACACS keys.
