Description
This article described what need to do when restoring a backup config file with private-data-encryption enabled in the FortiAnalyzer/FortiManager.
Solution
The private-data-encryption function uses a hard-coded cryptographic key to encrypt password data in CLI configuration.
By enabling a private-data-encryption, it will allow a greater encryption on the downloaded configuration file for difference config section or module, for example the custom certificate key that used for GUI access, the Radius secret key and etc.
Admin will have to provide with a 32 digits hexadecimal encryption key.
In the following configuration as example, a private-data-encryption is enabled with a 32 hexadecimal of 5fba34fa11f93bc0cf19ed8a831b6aeb.
fmg-faz # config system global
(global) set private-data-encryption enable
(global) end
Please type your private data encryption key (32 hexadecimal numbers):
5fba34fa11f93bc0cf19ed8a831b6aeb
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
5fba34fa11f93bc0cf19ed8a831b6aeb
Your private data encryption key is accepted.
In the event of the current running box or VM instance that accidentally being factory-reset or due to a RMA hardware replacement or with a newly re-spin of VM instance, when the backup config file is restored which is private-data-encryption enabled, make sure the above CLI config 'set private-data-encryption enable' is set prior to the restore.
Note.
If it is not done, the config file still able to get restored, however, it will lead to the issues like wrong or incorrect secret key where Radius/LDAP/LDAPs connections failure or missing custom certificate after restoring from the private-data-encryption enabled config file.
Reference.
https://www.fortiguard.com/psirt/FG-IR-19-007
