Key Chain

Keychains provide a centralized mechanism for managing cryptographic keys used by routing protocol authentication on NX-OS, enabling secure neighbor adjacency establishment for OSPF, IS-IS, BGP, and other protocols. Each keychain contains one or more keys identified by numeric ID, with configurable cryptographic algorithms including md5, hmac-sha-1, hmac-sha-256, hmac-sha-384, hmac-sha-512, 3des, and aes for varying levels of authentication strength. Keys support multiple encryption types (unencrypted, type7, type6) for secure storage of key material, allowing seamless key rotation and algorithm upgrades without disrupting routing protocol adjacencies.

Diagram

Classes

configuration (nxos.devices)

Name	Type	Constraint	Mandatory	Default Value
key_chains	List	`[key_chains]`	No

key_chains (nxos.devices.configuration)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
keys	List	`[keys]`	No

keys (nxos.devices.configuration.key_chains)

Name	Type	Constraint	Mandatory
id	Integer	min: `0`, max: `65535`	Yes
cryptographic_algorithm	Choice	`none`, `md5`, `hmac-sha-1`, `hmac-sha-256`, `hmac-sha-384`, `hmac-sha-512`, `3des`, `aes`	No
encryption_type	Choice	`unencrypted`, `type7`, `type6`	No
key_string	String		No

Examples

Example 1: OSPF authentication keychain with hmac-sha-256

nxos:
  devices:
    - name: LEAF1
      configuration:
        key_chains:
          - name: OSPF-AUTH
            keys:
              - id: 1
                cryptographic_algorithm: hmac-sha-256
                encryption_type: type7
                key_string: 0739a6b5d4e1f208

Example 2: Multiple keychains for OSPF and BGP with key rotation support

nxos:
  devices:
    - name: SPINE1
      configuration:
        key_chains:
          - name: OSPF-UNDERLAY-AUTH
            keys:
              - id: 1
                cryptographic_algorithm: hmac-sha-256
                encryption_type: type7
                key_string: 0739a6b5d4e1f208
              - id: 2
                cryptographic_algorithm: hmac-sha-256
                encryption_type: type7
                key_string: 1840b7c6e5f2a319
          - name: BGP-FABRIC-AUTH
            keys:
              - id: 10
                cryptographic_algorithm: hmac-sha-256
                encryption_type: type7
                key_string: 2951c8d7f6a3b420

Example 3: Keychain with multiple algorithm strengths for migration scenarios

nxos:
  devices:
    - name: BORDER-LEAF1
      configuration:
        key_chains:
          - name: ISIS-DCI-AUTH
            keys:
              - id: 1
                cryptographic_algorithm: hmac-sha-512
                encryption_type: type6
                key_string: JDYkZHNmam...
          - name: MACSEC-KEYCHAIN
            keys:
              - id: 100
                cryptographic_algorithm: aes
                encryption_type: type6
                key_string: UjNwbGFjZW...