how to recover Cookie Encryption Passphrase once forget

Question

HTTP profile cookie Encryption passphrase is forget how to recover, they guy who created this profile is not longer with us and we don't know and this profile is on a critical application , don't have downtime.

hannes_rapp_162 · Accepted Answer

That's not possible, unless there's a secret backdoor in TMOS.&nbsp;
You can give that guy a call (maybe he remembers?) or use a cracking service provider - they will attempt to retrieve the plain-text format for a fee. Although he's no longer employed with your company, moving on without documenting the general-use passphrases is a lousy move. In some places, this can be considered as a criminal offense.&nbsp;
If you just want to migrate the existing configuration to a new BigIP platform, you can do it while not knowing the passphrase. To do so, you just copy the configuration as-is from /config/bigip.conf file to your new appliance.&nbsp;
If you're not looking to migrate configuration, you will probably have to settle for the impact. You can overwrite the existing passphrase with a new one during a low-activity hour, and send a 'sorry for inconvenience e-email' where you also instruct your users to close the application, and reconnect from a fresh browser session, should they experience any technical issues. If it's a permanent(or long-term) tracking cookie that's being encrypted, users may also have to manually delete their existing cookies.&nbsp;
You should also contact F5 support here. &nbsp;

mm_f_147944 · Answer

thanks for replying actually replacing 3400 with 4000s Platform, first I thought to configure each and every thing one by one but when I reach to profile find out that Passphrase , 
If I am going to copy the configuration what will be the procedure as 3400 ios is 9.4.x and new platform has 11.5.x,

mm_f_147944 · Answer

thanks for replying actually replacing 3400 with 4000s Platform, first I thought to configure each and every thing one by one but when I reach to profile find out that Passphrase , 
If I am going to copy the configuration what will be the procedure as 3400 ios is 9.4.x and new platform has 11.5.x,

hannes_rapp_162 · Answer

It's a bit difficult case because 3400 cannot be upgraded to v11.5.x and 4000s cannot be downgraded to version 9.4.x.
Personally, I would manually create a new profile with same settings, but use a different passphrase. When done, modify the /config/bigip.conf file, and replace the passphrase with a new value (as copied from the /config/bigip.conf file on v9.4.x box). I'm not sure it works since the encryption mechanics of passphrases may have changed since then. Therefore, the old encrypted key may no longer be identified.

hannes_rapp · Answer

It's a bit difficult case because 3400 cannot be upgraded to v11.5.x and 4000s cannot be downgraded to version 9.4.x.
Personally, I would manually create a new profile with same settings, but use a different passphrase. When done, modify the /config/bigip.conf file, and replace the passphrase with a new value (as copied from the /config/bigip.conf file on v9.4.x box). I'm not sure it works since the encryption mechanics of passphrases may have changed since then. Therefore, the old encrypted key may no longer be identified.

Forum Discussion

how to recover Cookie Encryption Passphrase once forget

6 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

AS3 TLS certificate without passphrase

Automate Let's Encrypt Certificates on BIG-IP

Password Safety & Security: Passwords vs. Passphrases