Configure Secure Cryptography Mode

A GigaVUE node can be put into secure cryptography mode to improve the security of the management interface. In secure cryptography mode, weak encryption/decryption and hashing algorithms, used for accessing data and generating keys, are disabled. The secure cryptography mode limits the cryptographic algorithms, hashing algorithms, and SSH transport protocols, that are available for use on a GigaVUE node.

Initially, the secure cryptography mode is disabled. There are two steps to enabling it: configuring the mode, and then reloading either the node, if it is standalone, or the cluster, if the node is in a cluster environment.

Note:  Refer to the GigaVUE Release Notes for the latest browser support information for Secure Cryptography Mode.

Enable Secure Cryptography Mode

To enable secure cryptography mode from the GigaVUE H-VUE, do the following:

  1. Select Settings > Global Settings > Security.
  2. Click Edit.
  3. On the Edit Security Settings page, select Secure Cryptography.
  4. Click Save.
  5. The system displays the following notification:

    Security settings updated successfully. Please reboot the device for the settings to take effect.

    For the secure cryptography mode to take effect the node needs to be reloaded.

    a. Select Settings > Reboot and Upgrade.
    b. Click Reboot.

When a GigaVUE node is in secure cryptography mode, a status is displayed when you log in. For more information, refer to Status of Secure Cryptography Mode.

IMPORTANT: TLS version 1.2 is required for secure cryptography mode. When enabling secure cryptography mode, TLS version 1.2 is enabled by default. If you disable secure cryptography mode and want to change the TLS version, useGigaVUE-OSCLI command:web server ssl min-version tls<version>. Refer to the GigaVUE-OS-CLI Reference Guide for CLI guidance.

Disable Secure Cryptography Mode

By default, the secure cryptography mode is disabled. If it has been enabled, use the following steps to disabling it:

  1. Select Settings > Global Settings > Security.
  2. Click Edit.
  3. On the Edit Security Settings page, clear Secure Cryptography.
  4. Click Save.

The system displays the following notification:

Security settings updated successfully. Please reboot the device for the settings to take effect.

For the secure cryptography mode to take effect the node needs to be reloaded.

a. Select Settings > Reboot and Upgrade.
b. Click Reboot.

Enable Enhanced Cryptography Mode

To enable enhanced cryptography mode from the GigaVUEH-VUE, do the following:

  1. Select Settings > Global Settings > Security.
  2. Click Edit.
  3. On the Edit Security Settings page, select Enhanced Cryptography.
  4. Click Save

If you enable enhanced cryptography, then FIPS mode will be disabled.

Ciphers to Use with Secure Cryptography Mode

Use the following ciphers with secure cryptography mode:

Secure Cryptography Mode

All Platforms

AES128-CBC

AES256-CBC

Note:  Refer to the GigaVUE Release Notes for the latest cipher support information in Secure Cryptography Mode.

Use the following ciphers with normal (non-secure) cryptography mode:

Normal Cryptography Mode

GVCCV2

Other PowerPC Platforms

Intel Platforms

AES128-CTR AES192-CTR AES256-CTR

AES128-CTR AES192-CTR AES256-CTR

AES128-CTR AES192-CTR AES256-CTR AES128-CBC AES256-CBC

Cryptographic Algorithms

When secure cryptography mode is enabled, the cryptographic algorithms are limited as follows:

SSH Host Key Algorithm

SSH Key Exchange

Encryption Algorithms

Hash-based Message

Authentication Code

ECDSA

Diffie-Hellman-group14-sha1

AES128-CBC, AES256-CBC

HMAC-SHA1, HMAC-SHA2-256, HMAC-SHA2-512

Status of Secure Cryptography Mode

If the secure cryptography mode is configured on a GigaVUE node, once the node or cluster has been reloaded, a status is displayed when you log in.