Encrypting & Decrypting Arista BGP, BMP, & OSPF Passwords

What if you need to decrypt a BGP, BMP, or OSPF password in your Arista configuration to migrate the configuration to a different vendor? You may have tried a Cisco Type 7 Reverser and find that it doesn’t work.

What if you want to encrypt these passwords beforehand for automation purposes? Both of these questions have come up over the last few months in the #arista channel on the Network to Code slack. The latter question was asked first and I set my sights on figuring it out.

The Short Story

Arista is nice because all of the Python code for the CLI can be found on the switch under /usr/lib/python2.7/site-packages/. Arista has published documentation about how to create your own CLI commands or modify existing ones. After many hours of using grep and reading through the python code, I found the answer in CliPlugin/RoutingBgpCli.py & CliPlugin/RoutingOspfCli.py. It seems obvious now when looking at the code but I only started with the thought “They do it on the CLI so it has to be in here somewhere“. I tricked myself thinking _passwd was an internal python variable and not a string. Arista uses a proprietary DesCrypt library, and I don’t know how the encryption is done behind the scenes. All I know is that its DES-CBC + base64 encoded.

BGP

Arista BGP Type 7 passwords are generated by combining the BGP neighbor IP and the string _passwd. If you have a peer group configured it uses the peer group name instead of the neighbor IP. In this configuration example, I have a password for a peer group and a neighbor. The password is supersecretpassword for both, but you can see the type 7 hash is different.router bgp 65001
  router-id 10.1.1.1
  neighbor mydevices peer-group
  neighbor mydevices password 7 8kjYaye5DsQh0epELyKNe0oZ3E3zp39X
  neighbor 10.1.0.20 peer-group special-devices
  neighbor 10.1.0.30 password 7 M9dLKl9vELqUERgcfkztblNGbMxVQdxU

This is how you would decrypt each password. If you get any errors then you didn’t supply the correct key or password to decrypt.switch1#bash python -c 'import DesCrypt; print DesCrypt.decrypt("mydevices_passwd", "8kjYaye5DsQh0epELyKNe0oZ3E3zp39X")'
supersecretpasswordswitch1#bash python -c 'import DesCrypt; print DesCrypt.decrypt("10.1.0.30_passwd", "M9dLKl9vELqUERgcfkztblNGbMxVQdxU")'
supersecretpassword

This is how you would generate the encrypted password for BGP with the password supersecretpasswordswitch1#bash python -c 'import DesCrypt; print DesCrypt.encrypt("mydevices_passwd", "supersecretpassword")'
8kjYaye5DsQh0epELyKNe0oZ3E3zp39Xswitch1#bash python -c 'import DesCrypt; print DesCrypt.encrypt("10.1.0.30_passwd", "supersecretpassword")'
M9dLKl9vELqUERgcfkztblNGbMxVQdxU

BMP (BGP Monitoring Protocol)

BMP passwords use the station name plus the string _passwd. Here is an example configuration. The plain-text authentication-key is supersecretpassword.router bgp 65001
 monitoring station BMP1
 authentication-key 7 JieKbldfLyl9IzUBJZRvKIcc1w5wWogI

Here is how to decrypt and encrypt BMP passwords.switch1#bash python -c 'import DesCrypt; print DesCrypt.decrypt("BMP1_passwd", "JieKbldfLyl9IzUBJZRvKIcc1w5wWogI")'
supersecretpasswordswitch1#bash python -c 'import DesCrypt; print DesCrypt.encrypt("BMP1_passwd", "supersecretpassword")'
JieKbldfLyl9IzUBJZRvKIcc1w5wWogI

OSPF

Arista OSPF Type 7 passwords are generated by combining the interface name and the string _passwd. Here is an example configuration. The plain-text authentication-key is password.interface Ethernet1
  no switchport
  ip address 10.1.1.1/31
  ip ospf authentication
  ip ospf authentication-key 7 5bEz4KscELPQE2bS/6HBeA==

Here is how to decrypt and encrypt OSPF passwords.switch1#bash python -c 'import DesCrypt; print DesCrypt.decrypt("Ethernet1_passwd", "5bEz4KscELPQE2bS/6HBeA==")'
passwordswitch1#bash python -c 'import DesCrypt; print DesCrypt.encrypt("Ethernet1_passwd", "password")'
5bEz4KscELPQE2bS/6HBeA==

Notes

If you need to perform this off of a physical device, you can do it with vEOS-lab or cEOS. You can also use a 32bit Linux VM or container and install python2.7, libpython2.7, and take DesCrypt.py, _DesCrypt.so, & libtac.so.0 from an Arista device. I don’t recommend that however as these files are Copyrighted by Arista and are Confidential/Proprietary. You might be able to run these commands against EOS using eAPI. I’ve thought about writing a daemon or python script that exposes an endpoint on the Arista switch to perform this task for automation purposes. I hope to one day be able to encrypt and decrypt these passwords without needing the libraries from Arista.