Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎03-08-2021 10:55 PM Edited on ‎01-08-2026 12:04 AM By Community Manager

Article Id 190039

Technical Tip: Enable private-data-encryption in HA cluster

Description


This article describes how to enable private data encryption in a HA cluster.

 

Scope

 

FortiGate.

Solution


When using an HA cluster, the keys used for private-data-encryption are synchronized among the units.
In a redundant setup (HA), the units must have the same key so that the encrypted elements are properly synchronized.

Note: Before FortiOS v6.2.5 and FortiOS v6.4.2, the private-data-encryption keys were not automatically synchronized by HA.

 

The private data encryption feature on FortiGate devices is intended to improve security by encrypting sensitive configuration data stored on the device. This feature is vital in situations where it is necessary to prevent unauthorized access to sensitive information, even if there is physical access to the device.


A very common situation happens when starting with an existing HA cluster (2 or more units):

  • The cluster is formed and synchronized.
  • It is then possible to enable private-data-encryption to improve the security.
  • Enabling private-data-encryption on the Active unit will prompt for the key to be used.

 

FG-Active # config system global
FG-Active (global) # set private-data-encryption enable
FG-Active (global) # end

Please type the private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter the private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef
The private data encryption key is accepted.
FG-Active #

 

  • At this point, the Backup unit(s) will have this setting activated, but the key is not synchronized.
  • Disabling and enabling the setting on the Backup unit will not generate a prompt to enter the key:

 

FG-Backup # config system global
FG-Backup (global) # set private-data-encryption enable
FG-Backup (global) # end
FG-Backup #  <----- No prompt for key.

 

As a result, after this point, before FortiOS v6.2.5 and FortiOS v6.4.2, further changes of encrypted elements (passwords, certificates, IPsec tunnel keys, etc.) in the configuration of the Active unit cause the cluster to become out-of-sync.

 

By default, the TPM is turned off. To activate it, establish a 32-digit hexadecimal master-encryption-password that encrypts sensitive data on the FortiGate using AES128-CBC. This password allows the TPM to create a 2048-bit primary key that secures the master-encryption-password with RSA-2048 encryption. The master-encryption-password safeguards the data, while the primary key secures the master-encryption-password. Check out this document for more information: Trusted platform module support.

 

Note:

A temporary workaround for this out-of-sync situation is to disable (and then re-enable) private-data-encryption on the Active unit.
Once disabled, the cluster will synchronize once again because no keys are used to encrypt the elements.
After re-enabling the encryption, the key is used only for the encryption of the elements on the Active unit.

Permanent fix:

  • Upgrade to FortiOS v6.2.5, FortiOS v6.4.2 (or newer).
  • Enable private-data-encryption on each unit separately, before connecting them in a HA cluster.

 

If the cluster is already formed, then it must first be separated.
Once separated, enable private-data-encryption on the Backup unit, using the same key as in Active.

 

Starting from v7.6.1, Administrators no longer have to manually enter a 32-digit hexadecimal private-data encryption key. Instead, the administrator simply enables the command, which generates a random private-date-encryption key. 


Starting from v7.6.3:

  • A setting for enabling/disabling private data encryption can be found in the GUI under System -> Settings in the Security section.
  • The private data encryption feature will be supported on devices that contain a Trusted Platform Module (TPM).

 

To check if the FortiGate device has a TPM, verify that all the following commands exist. Otherwise, the platform does not support it.

 

diagnose hardware deviceinfo tpm
diagnose hardware test tpm

 

Related articles:

Technical Tip: How to restore a backup configuration file with private-data-encryption enable?

Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate

Labels:
20801
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.