STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Juniper Router NDM Security Technical Implementation Guide

V-220142

CAT II (Medium)

The Juniper router must be configured with a master password that is used to generate encrypted keys for shared secrets.

Rule ID

SV-220142r961863_rule

STIG

Juniper Router NDM Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

By default, shared secrets in a Junos configuration only use an obfuscation algorithm ($9$ format), which is not very strong and can easily be decrypted. Strong encryption for configured secrets can be enabled by configuring a master password to be used as input to the password based key derivation function (PBKDF2) to generate an encryption key. The key is used as input to the Advanced Encryption Standard in Galois/Counter Mode (AES256-GCM).

Check Content

Verify that a master password has been configured as by entering the following command:
show configuration system master-password 

The output will appear as follows: 
password-configured;

Note: The master password is hidden from the configuration.

If a master password has not been configured, this is a finding.

Fix Text

Configure the master password to be used to generate encrypted keys for shared secrets as shown in the example below.

[edit]
set system master-password plain-text-password    
Master password: xxxxxxxxxx
Repeat master password: xxxxxxxxxx