Normally, passwords other than enable secret will appear in our configuration files in plain text. Even though you need to be in privileged mode to view the configuration files, encrypting all passwords is still a good idea. Eventually we’ll back up the configuration files to a network server, which means that other people may have the ability to access and view them.
The command used to manually encrypt passwords is service password-encryption. You can encrypt any password manually by first issuing this command from global configuration mode, and then changing passwords as you normally would. Once complete, enter the no service password-encryption command. In the example below, we have encrypted both the auxiliary and console port passwords.
toronto-1(config)#service password-encryption
toronto-1(config)#line con 0
toronto-1(config-line)#login
toronto-1(config-line)#password cisco1
toronto-1(config-line)#line aux 0
toronto-1(config-line)#login
toronto-1(config-line)#password cisco1
toronto-1(config-line)#exit
toronto-1(config)#no service password-encryption
After completing the steps listed, you can view the encrypted versions of the passwords by using the show running-config command. I have again truncated the output to show only the pertinent information.
toronto-1#show run
Building configuration...
Current configuration:
line con 0
password 7 01100F17580457
login
transport input none
line aux 0
password 7 03075218050070
login
transport input all
line vty 0 4
password cisco1
login
!
end
Notice that both the console and auxiliary passwords have been encrypted. The vty password has not, since we didn’t specify it while configuring the encrypted passwords. Viewing the startup configuration at this point would still show unencrypted versions of all these passwords. Why? Because we haven’t saved our changes to the startup-configuration, of course!
toronto-1#sh star
Using 790 out of 32762 bytes
line con 0
password cisco1
login
transport input none
line aux 0
password cisco1
login
transport input all
line vty 0 4
password cisco1
login
!
end
Remember that in order to save our changes, we need to save the running configuration to the startup configuration. In simple to remember shorthand, you can simply enter the command copy run star.