SNMP credential storage

[twinkiman]

I was digging around in the cacti database and discovered that the SNMP v3 credentials and v2 community strings are stored in the database as plaintext. This raises a yellow flag to me because I consider that information as confidential as a local user account. In a perfect world, these credentials would restrict access with read-only permissions and limited views. However, I don't believe all my device administrators went to that effort all the time. Is there a way to encrypt this information at rest?

[Linegod]

These are communitystrings, not passwords. They are stored in plain text on the devices you communicate with.

Storing them encrypted would just mean decrypting them to send them out in their original format.

[twinkiman]

With v2 community strings I agree. However with v3 Auth/Priv, those arn't both sent in the clear to the best of my understanding. On our switches for instance, I know the v3 credentials are encrypted at rest.

[Linegod]

I misspoke when I said they where stored in plain text in v3 on the device.

However, they are sent to snmpwalk/snmpget in plain text, and hashed prior to transport. AFAIK, they cannot be sent as MD5 directly to snmpwalk, so they have to be stored in plain text.