ltm rule command AES key
iRule(1) BIG-IP TMSH Manual iRule(1)
AES::key
Creates an AES key to encrypt/decrypt data.
SYNOPSIS
AES::key ('128' | '192' | '256')?
DESCRIPTION
Creates an AES key of the specified length for use in
encryption/decryption operations.
Syntax
AES::key < 128 | 192 | 256 >
* Creates an AES key of the specified length (in bits) for use in
encryption/decryption operations.
* Default key length is 128 bits
RETURN VALUE
Returns the created key.
VALID DURING
ANY_EVENT
EXAMPLES
In this example, any time the rule is saved, a new encryption key is
created and all existing encrypted strings become invalid:
Note: this example is NOT CMP-COMPATIBLE as it uses GLOBAL variable
when RULE_INIT {
set ::key [AES::key 128]
}
The next example avoids this issue, by adding logic to only create a
new key if there isn't an existing one. If there was a failover to the
peer, a new key would still be generated though.
when RULE_INIT {
set ::encryption_debug 2
# Create an encryption key if one doesn't exist already
if {[info exists ::global_encrypt_key_v1] and [string length $::global_encrypt_key_v1]}{
if {$::encryption_debug > 1}{log local0. "Using existing key: $::global_encrypt_key_v1"}
} else {
# Key didn't exist so create one
set ::global_encrypt_key_v1 [AES::key 128]
if {$::encryption_debug > 1}{log local0. "Created new encryption key: $::global_encrypt_key_v1"}
}
}
You can replace the functionality of AES::key by specifying a key as a
properly formatted string. The advantage is that the key value is
constant regardless of which unit is active. The proper format is "AES
<128 | 192 | 256> "
Here is an example:
when RULE_INIT {
# Save a 128 bit key as a string
set key_string "AES 128 b55c4753cba6adaa0e4ea7640504d9b4"
# Encrypt another test string with the key in hex
set encrypted [AES::encrypt $key_string "decrypted text"]
# Log the decrypted value
log local0. "\$decrypted: [AES::decrypt $key_string $encrypted]"
}
Log output:
Rule aes-key : $decrypted: decrypted text
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-9.0.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)