Use the following CLI syntax to enable encryption of the BOF (bof.cfg) using the AES-256-CBC cipher algorithm.
bof encrypt {on | off}
After the BOF is encrypted, it can still be modified using the BOF interactive menu. Access to the BOF interactive menu is controlled using a password.
Use the following syntax to set the interactive menu password.
bof password password [hash | hash2]
The password can be in one of the following formats:
a plaintext string between 8 and 32 characters; the plaintext string cannot contain embedded nulls or end with ‟hash” or ‟hash2”
a hashed string between 1 and 64 characters; the selected hashing scheme can be hash or hash2
The hash2 encryption scheme is node-specific and the password cannot be transferred between nodes.
After the password is set, editing of the BOF during a boot process is allowed only if the password is entered correctly (the boot process can be interrupted in order to make BOF changes). If the password is not entered correctly within 30 s, the node reboots whether the BOF is encrypted or not. This adds an additional layer of security that ensures that the BOF is not exposed to any unauthorized user. After the system is booted, changes can be made to the BOF without entering the password.
After BOF encryption is configured, use the bof save command to save the encrypted file.