encrypt¶
Note
Always use the FQCN (Fully Qualified Collection Name) arista.avd.encrypt when using this plugin.
Encrypt supported EOS passwords
Synopsis¶
- The filter encrypts a clear text password into EOS passwords.
- It is intended to be used with Ansible Vault to load a password and have it encrypted on the fly by AVD in
eos_designs. - The filter only supports encryption for type
7and not type8afor BGP, ISIS, NTP, OSPF, RADIUS and TACACS+ passwords.
Parameters¶
| Argument | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| _input | string | True | None | Clear text password to be encrypted. | |
| passwd_type | string | True | None | Valid values: - bgp- isis- ntp- ospf_message_digest- ospf_simple- radius- tacacs |
Type of password to encrypt.bgp and ospf_simple requires the password and key inputs.isis requires the password, key and mode inputs.ospf_message_digest requires the password, key, hash_algorithm, key_id inputs.ntp, radius and tacacs require the password and salt inputs. |
| key | string | optional | None | Encryption key. The value depends on the type of password. For BGP passwords, the key is the Neighbor IP or the BGP Peer Group Name in EOS. For OSPF passwords, the key is the interface name (e.g., Ethernet1).For ISIS passwords the key is the ISIS instance name (from router isis <instance name> or isis enable <instance name>). |
|
| hash_algorithm | string | optional | None | Valid values: - md5- sha1- sha256- sha384- sha512 |
Hash algorithm to use with passwd_type=ospf_message_digest. |
| key_id | integer | optional | None | Min value: 1Max value: 255 |
Key ID to use with passwd_type=ospf_message_digest. |
| mode | string | optional | None | Valid values: - none- text- md5- sha- sha-1- sha-224- sha-256- sha-384- sha1-512 |
ISIS encryption mode (none, text, md5, sha) or shared-secret algorithm (sha-1, sha-224, sha-256, sha-384, sha1-512). |
| salt | integer | optional | None | Max value: 15 |
Salt used for simple type-7 obfuscation. Required when passwd_type is ntp, radius or tacacs. |
Examples¶
---
- # Encrypt the vaulted BGP password for peer group "IPv4-UNDERLAY-PEERS"
bgp_peer_groups:
ipv4_underlay_peers:
name: IPv4-UNDERLAY-PEERS
password: "{{ bgp_vault_password | arista.avd.encrypt(passwd_type='bgp', key='IPv4-UNDERLAY-PEERS') }}"
- # Encrypt the vaulted OSPF simple password for interface "Ethernet1"
ethernet_interfaces:
- name: Ethernet1
ospf_authentication: simple
ospf_authentication_key: "{{ ospf_vault_password | arista.avd.encrypt(passwd_type='ospf_simple', key='Ethernet1') }}"
- # Encrypt the vaulted OSPF message digest password for Ethernet1, MD5 and key id 1
ethernet_interfaces:
- name: Ethernet1
ospf_authentication: message-digest
ospf_message_digest_keys:
- id: 1
hash_algorithm: md5
key: "{{ ospf_vault_password | arista.avd.encrypt(passwd_type='ospf_message_digest', key='Ethernet1', hash_algorithm='md5', key_id='1') }}"
- # Encrypt the vaulted ISIS password for instance EVPN-UNDERLAY using sha-512
router_isis:
instance: EVPN_UNDERLAY
authentication:
both:
key_ids:
- id: 1
algorithm: sha-512
key_type: 7
key: "{{ isis_vault_password | arista.avd.encrypt(passwd_type='isis', key='EVPN_UNDERLAY', mode='sha-512') }}"
- # Encrypt the vaulted NTP password for NTP authentication key
ntp:
authentication_keys:
- id: 1
hash_algorithm: "md5"
key: "{{ ntp_vault_key | arista.avd.encrypt(passwd_type='ntp', salt=12) }}"
- # Encrypt the vaulted TACACS+ password
tacacs_servers:
hosts:
- host: 10.10.10.159
vrf: default
key: "{{ tacacs_vault_password | arista.avd.encrypt(passwd_type='tacacs', salt = 6) }}"
- # Encrypt the vaulted RADIUS password
radius_servers:
hosts:
- host: 10.10.10.159
vrf: default
key: "{{ radius_vault_password | arista.avd.encrypt(passwd_type='radius', salt = 6) }}"
Return Values¶
| Name | Type | Description |
|---|---|---|
| _value | string | Encrypted EOS password string. |
Authors¶
- Arista Ansible Team (@aristanetworks)