Description
This article describes how to enable private data encryption in a HA cluster.
Scope
FortiGate.
Solution
When using an HA cluster, the keys used for private-data-encryption are synchronized among the units.
In a redundant setup (HA), the units must have the same key so that the encrypted elements are properly synchronized.
Note: Prior to FortiOS 6.2.5 and FortiOS 6.4.2, the private-data-encryption keys were not automatically synchronized by HA.
The private data encryption feature on FortiGate devices is intended to improve security by encrypting sensitive configuration data stored on the device. This feature is vital in situations where it is necessary to prevent unauthorized access to sensitive information, even if there is physical access to the device.
A very common situation happens when starting with an existing HA cluster (2 or more units):
- The cluster is formed and synchronized.
- It is then possible to enable private-data-encryption in order to improve the security.
- Enabling private-data-encryption on the Active unit will prompt for the key to be used.
FG-Active # config system global
FG-Active (global) # set private-data-encryption enable
FG-Active (global) # endPlease type the private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
please re-enter the private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
The private data encryption key is accepted.
FG-Active #
- At this point, Backup unit(s) will have this setting activated, but the key is not synchronized.
- Disabling and enabling the setting on the Backup unit will not generate a prompt to enter the key:
FG-Backup # config system global
FG-Backup (global) # set private-data-encryption enable
FG-Backup (global) # end
FG-Backup # <----- No prompt for key.
As a result after this point, before FortiOS 6.2.5 and FortiOS 6.4.2, further changes of encrypted elements (passwords, certificates, IPsec tunnel keys, etc.) in the configuration of Active unit cause the cluster to become out-of-sync.
By default, the TPM is turned off. To activate it, establish a 32-digit hexadecimal master-encryption-password which encrypts sensitive data on the FortiGate using AES128-CBC. This password allows the TPM to create a 2048-bit primary key that secures the master-encryption-password with RSA-2048 encryption. The master-encryption-password safeguards the data, while the primary key secures the master-encryption-password. Check out this document for more information: Trusted platform module support.
Note:
Starting from FortiOS v7.6.3, the private data encryption feature will be supported on devices that contain a Trusted Platform Module (TPM).
To check if the FortiGate device has a TPM, verify all the following commands exist. Otherwise, the platform does not support it.
diagnose hardware deviceinfo tpm
diagnose hardware test tpm
A temporary workaround for this out-of-sync situation is to disable (and then re-enable) private-data-encryption on the Active unit.
Once disabled, the cluster will synchronize once again because no keys are used to encrypt the elements.
After re-enabling the encryption, the key is used only for encryption of the elements on the Active unit.
Permanent fix:
- Upgrade to FortiOS 6.2.5, FortiOS 6.4.2 (or newer).
- Enable private-data-encryption on each unit separately, before connecting them in a HA cluster.
If the cluster is already formed, then it must be first separated.
Once separated, enable private-data-encryption on the Backup unit, using the same key as in Active.
Related articles:
Technical Tip: How to restore a backup configuration file with private-data-encryption enable?
Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate
