Technical Tip: FIPS-CC enabled FortiGates do not support the private-data-encryption feature
| Description | This article describes an expected behavior for the private-data-encryption feature on FortiGates with FIPS-CC mode enabled. |
| Scope | FortiGate, FIPS-CC. |
| Solution | FIPS-CC-enabled FortiGates do not support the private-data-encryption feature (this is true as of the latest v6.4/v7.0 FIPS-certified and CVE-Patched builds, but also in GA firmware builds as well). This can be seen by running get system status on FIPS-CC enabled FortiGates, where the 'Private Encryption' line is omitted, and it can also be seen that the option is missing under config system global.
The reason for this traces back to early historical decisions regarding this feature. For reference, the Private Encryption: feature has existed in FortiOS since v5.4, and it allows users to manually specify a 32 hexadecimal-character key used to symmetrically encrypt passwords in the FortiGate configuration (anything with the ENC prefix, with the notable exception of administrator passwords which are hashed instead of encrypted).
In more recent history, it has come up as a mitigation option for FG-IR-19-007.
When v6.4, v7.,0, and earlier versions were being assessed for FIPS-CC and 140-2 compliance, there were no regulations requiring this feature to be implemented. Additionally, this feature has caused issues/bugs in the past when enabled, and as such the FIPS development team opted against including the feature while in FIPS-CC mode. At the time of this writing, there are no confirmed plans to add the feature to FIPS-CC enabled FortiOS.
Related articles: Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate Technical Tip: Verify the private-data-encryption feature Technical Tip: How to restore a backup configuration file with private-data-encryption enable? |