Creates an AES key of the specified length for use in encryption/decryption operations.


AES::key < 128 | 192 | 256 >

AES::key < 128 | 192 | 256 >

  • Creates an AES key of the specified length (in bits) for use in encryption/decryption operations.


In this example, any time the rule is saved, a new encryption key is created and all existing encrypted strings become invalid: (Note: this example is NOT CMP-COMPATIBLE as it uses GLOBAL variable)

when RULE_INIT {
   set ::key [AES::key 128]

The next example avoids this issue, by adding logic to only create a new key if there isn’t an existing one. If there was a failover to the peer, a new key would still be generated though.
when RULE_INIT {
   set ::encryption_debug 2

   # Create an encryption key if one doesn't exist already
   if {[info exists ::global_encrypt_key_v1] and [string length $::global_encrypt_key_v1]}{

      if {$::encryption_debug > 1}{log local0. "Using existing key: $::global_encrypt_key_v1"}

   } else {
      # Key didn't exist so create one
      set ::global_encrypt_key_v1 [AES::key 128]
      if {$::encryption_debug > 1}{log local0. "Created new encryption key: $::global_encrypt_key_v1"}

You can replace the functionality of AES::key by specifying a key as a properly formatted string. The advantage is that the key value is constant regardless of which unit is active. The proper format is “AES <128 | 192 | 256> ” Here is an example:
when RULE_INIT {

    # Save a 128 bit key as a string
    set key_string "AES 128 b55c4753cba6adaa0e4ea7640504d9b4"

    # Encrypt another test string with the key in hex
    set encrypted [AES::encrypt $key_string "decrypted text"]

    # Log the decrypted value
    log local0. "\$decrypted: [AES::decrypt $key_string $encrypted]"

Log output:
Rule aes-key <RULE_INIT>: $decrypted: decrypted text