AES::key¶
Description¶
Creates an AES key of the specified length for use in encryption/decryption operations.
Syntax¶
AES::key < 128 | 192 | 256 >
AES::key < 128 | 192 | 256 >¶
- Creates an AES key of the specified length (in bits) for use in encryption/decryption operations.
Examples¶
In this example, any time the rule is saved, a new encryption key is created and all existing encrypted strings become invalid: (Note: this example is NOT CMP-COMPATIBLE as it uses GLOBAL variable)
when RULE_INIT {
set ::key [AES::key 128]
}
The next example avoids this issue, by adding logic to only create a
new key if there isn’t an existing one. If there was a failover to the
peer, a new key would still be generated though.
when RULE_INIT {
set ::encryption_debug 2
# Create an encryption key if one doesn't exist already
if {[info exists ::global_encrypt_key_v1] and [string length $::global_encrypt_key_v1]}{
if {$::encryption_debug > 1}{log local0. "Using existing key: $::global_encrypt_key_v1"}
} else {
# Key didn't exist so create one
set ::global_encrypt_key_v1 [AES::key 128]
if {$::encryption_debug > 1}{log local0. "Created new encryption key: $::global_encrypt_key_v1"}
}
}
You can replace the functionality of AES::key by specifying a key as a
properly formatted string. The advantage is that the key value is
constant regardless of which unit is active. The proper format is “AES
<128 | 192 | 256> ” Here is an example:
when RULE_INIT {
# Save a 128 bit key as a string
set key_string "AES 128 b55c4753cba6adaa0e4ea7640504d9b4"
# Encrypt another test string with the key in hex
set encrypted [AES::encrypt $key_string "decrypted text"]
# Log the decrypted value
log local0. "\$decrypted: [AES::decrypt $key_string $encrypted]"
}
Log output:
Rule aes-key <RULE_INIT>: $decrypted: decrypted text