ltm rule command AES keyΒΆ

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



AES::key
       Creates an AES key to encrypt/decrypt data.

SYNOPSIS
       AES::key ('128' | '192' | '256')?

DESCRIPTION
       Creates an AES key of the specified length for use in
       encryption/decryption operations.

       Syntax

       AES::key < 128 | 192 | 256 >

	    * Creates an AES key of the specified length (in bits) for use in
	      encryption/decryption operations.
	    * Default key length is 128 bits

RETURN VALUE
       Returns the created key.

VALID DURING
       ANY_EVENT

EXAMPLES
	In this example, any time the rule is saved, a new encryption key is
	created and all existing encrypted strings become invalid:
	Note: this example is NOT CMP-COMPATIBLE as it uses GLOBAL variable

	when RULE_INIT {
	    set ::key [AES::key 128]
	}

	The next example avoids this issue, by adding logic to only create a
	new key if there isn't an existing one. If there was a failover to the
	peer, a new key would still be generated though.

	when RULE_INIT {
	   set ::encryption_debug 2

	   # Create an encryption key if one doesn't exist already
	   if {[info exists ::global_encrypt_key_v1] and [string length $::global_encrypt_key_v1]}{

	      if {$::encryption_debug > 1}{log local0. "Using existing key: $::global_encrypt_key_v1"}

	   } else {
	      # Key didn't exist so create one
	      set ::global_encrypt_key_v1 [AES::key 128]
	      if {$::encryption_debug > 1}{log local0. "Created new encryption key: $::global_encrypt_key_v1"}
	   }
	}

	You can replace the functionality of AES::key by specifying a key as a
	properly formatted string. The advantage is that the key value is
	constant regardless of which unit is active. The proper format is "AES
	   <128 | 192 | 256> "
	Here is an example:

	when RULE_INIT {

	    # Save a 128 bit key as a string
	    set key_string "AES 128 b55c4753cba6adaa0e4ea7640504d9b4"

	    # Encrypt another test string with the key in hex
	    set encrypted [AES::encrypt $key_string "decrypted text"]

	    # Log the decrypted value
	    log local0. "\$decrypted: [AES::decrypt $key_string $encrypted]"
	}

	Log output:

	Rule aes-key : $decrypted: decrypted text

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-9.0.0 --First introduced the command.



BIG-IP				  2017-01-31			      iRule(1)