System Security
The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.
nv set system security encryption db state
Enables and disables password encryption in the NVUE startup.yaml file. By default, NVUE encrypts passwords, such as the RADIUS secret, TACACS secret, BGP peer password, OSPF MD5 key, and SNMP strings in the startup.yaml file.
Version History
Introduced in Cumulus Linux 5.10.0
Example
cumulus@switch:~$ nv set system security encryption db state disabled
nv set system security encryption folder-encrypt encrypted-folder
Configures the absolute path to other directories you want to encrypt when you enable secure mount directory encryption. by default the switch encrypts the /var/log, /var/home, and /var/lib directories.
You enable secure mount directory encryption with the nv action enable system security encryption folder-encrypt password <password> command.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system security encryption folder-encrypt encrypted-folder /my_user/my_data
nv set system security encryption folder-encrypt storage
Configures the storage type for the folder encryption key. To protect sensitive data at rest, you can configure secure mount directory encryption on the switch with a USB device.
You enable secure mount directory encryption with the nv action enable system security encryption folder-encrypt password <password> command.
Version History
Introduced in Cumulus Linux 5.15.0
Example
cumulus@switch:~$ nv set system security encryption folder-encrypt storage usb
nv set system security fips mode
Configures FIPS mode.
FIPS are standards for federal computer systems developed by the U.S. government and published by the National Institute of Standards and Technology (NIST).
When you enable FIPS mode, the switch enforces FIPS 140-2 and 140-3 compliant cryptographic operations, making it suitable for high-security and regulated environments.
- Enabling or disabling FIPS mode takes approximately one to two minutes and requires a switch reboot to take full effect. NVUE prevents you from enabling FIPS if non-compliant configuration exists on the switch and provides details of the violations.
- When FIPS mode is enabled and you apply LDAP, TACACS, RADIUS, or authentication order configuration, all logged-in user sessions terminate and users must re-authenticate (except for root user).
- Factory reset returns FIPS mode to disabled mode (except when you use the factory reset
keep all-configoption). - If FIPS is enabled when you upgrade the switch with
onie-install -t, an additional reboot is required after the upgrade for FIPS mode to take full effect.
Version History
Introduced in Cumulus Linux 5.16.0
Example
cumulus@switch:~$ nv set system security fips mode enabled
nv set system security password-hardening digits-class
Configures the password policy so that passwords must include at least one digit. You can specify enabled or disabled. The default setting is enabled when password security is enabled.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening digits-class disabled
nv set system security password-hardening expiration
Configures the duration in days after which system passwords expire. You can set a value between 1 and 365 days. The default value is 180 days.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening expiration 30
nv set system security password-hardening expiration-warning
Configures the number of days before a password expires to send a warning. You can set a value between 1 and 30 days. The default value is 15 days.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening expiration-warning 5
nv set system security password-hardening history-cnt
Configures the number of times you can reuse the same password. You can set a value between 1 and 100. The default value is 10.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening history-cnt 20
nv set system security password-hardening len-min
Configures minimum password length. You can specify a value between 6 and 32 characters. The default value is 8.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening len-min 10
nv set system security password-hardening lower-class
Configures the password policy so that passwords must include at least one lower case character. You can specify enabled or disabled. The default setting is enabled when password security is enabled.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening lower-class disabled
nv set system security password-hardening reject-user-passw-match
Configures the password policy so that usernames can be passwords. You can specify enabled or disabled. The default setting is enabled when password security is enabled.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening reject-user-passw-match disabled
nv set system security password-hardening special-class
Configures the password policy so that passwords must include at least one special character. The default setting is enabled when password security is enabled.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening special-class disabled
nv set system security password-hardening state
Enables or disables password security. The default setting is enabled.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening state disabled
nv set system security password-hardening upper-class
Configures the password policy so that passwords must include at least one uppercase letter. The default setting is enabled when password security is enabled.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set system security password-hardening upper-class disabled