last person joined: 3 days ago 

HP-Switch-5406Rzl2 - Set encrypted-password - Value is invalid

  • 1.  HP-Switch-5406Rzl2 - Set encrypted-password - Value is invalid

    Posted Jul 23, 2020 10:27 AM

    Dear all,


    I'm a (java) software developer and I need to create a config with an encrypted password, without the possibility to use an HPE device while creating this config.


    I found this documentation about setting an encrypted password:

    What I've learned there is that the password should be a base64–encoded aes256–encrypted string, but this is mainly used to save and restore an existing config. I would create a NEW config. Is this possible at all?


    The device is an HPE Aruba switch 5406Rzl2, running as software image: KB.16.08.0003 (May  2 2019 19:24:36)


    The commands I have executed are:


    HP-Switch-5406Rzl2# erase all
    <reboot etc.>
    HP-Switch-5406Rzl2# configure terminal
    HP-Switch-5406Rzl2(config)# encrypt-credentials pre-shared-key plaintext testkey
    Save config and continue (y/n)? y
    HP-Switch-5406Rzl2(config)# encrypt-credentials
                                  **** CAUTION ****
    This will encrypt all passwords and authentication keys.
    Save config and continue (y/n)? y
    HP-Switch-5406Rzl2(config)# show encrypt-credentials
    Encryption    : Enabled
    Pre-shared Key: 98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489
    HP-Switch-5406Rzl2(config)# encrypted-password manager user-name testuser 79hk2jDW8AHzUYIFCh767A==
    Value 79hk2jDW8AHzUYIFCh767A== is invalid.



    As you can see, the device returns that the value is invalid!


    The code I used to create the value is:


    final byte[] ky=DatatypeConverter.parseHexBinary("98483c6eb40b6c31a448c22a66ded3b5e5e8d5119cac8327b655c8b5c4836489");
    final byte[] iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
    String encrypted= new Aes256cbc(ky,iv).encrypt("testpassword");



    Where Aes256cbc is defined as this class:


    import javax.crypto.BadPaddingException;
    import javax.crypto.Cipher;
    import javax.crypto.IllegalBlockSizeException;
    import javax.crypto.NoSuchPaddingException;
    import javax.crypto.spec.IvParameterSpec;
    import javax.crypto.spec.SecretKeySpec;
    import javax.xml.bind.DatatypeConverter;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    public class Aes256cbc {
        private static final String ALGORITHM = "AES";
        private static final Logger LOGGER=LoggerFactory.getLogger(Aes256cbc.class);
        private final byte[] key;
        private final byte[] iv;
        public Aes256cbc(byte[] key,byte[] iv) {
            this.key = key;
            this.iv = iv;
        public String encrypt(final String plainText) {
            final byte[] plainTextAsByteArray=plainText.getBytes();
            final SecretKeySpec secretKey = new SecretKeySpec(key, ALGORITHM);
            final IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
            byte[] resultAsBytearray=null;
            try {
                final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivParameterSpec);
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException e) {
            return resultAsBytearray!=null ? DatatypeConverter.printBase64Binary(resultAsBytearray) : null;



    • Can you tell my whether or not I make a fundamental error?
    • Is it possible what I would like to accomplish?
    • Can you maybe give me some hints to fulfill my need to encrypt a plaintext password, which can be used to configure the device? (preferably in java, but a pseudo/other language is ok too)


    Thanks in advance!