The master key can be changed after it has been created. Internet Security Association and Key Management Protocol (ISAKMP) preshared key encryption can be used to encrypt and store keys in secure type 6 format. To enable ISAKMP preshared key encryption, issue the following commands:
key config-key password-encryption master-key
password encryption aes
The master key encrypts all of the other keys that are stored in the router configuration by using Advanced Encryption Standard (AES). Passwords are not encrypted until the password encryption aes command has been issued. The master key is not stored anywhere in the router configuration, nor can the master key be displayed.
To change the master key, issue the key configkey passwordencryption command. You will be prompted once for the old master key and twice for the new master key. If you successfully authenticate the old key, the existing encrypted preshared keys will be encrypted with the new master key.
You can delete the master key by issuing the no key configkey passwordencryption command. However, the existing encrypted preshared keys will not be unencrypted, and they cannot be used by the router. Issuing the no password encryption aes command will also not unencrypt the existing preshared keys; once they are encrypted with secure type 6 encryption, they cannot be unencrypted.