Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
atahir
Staff
Staff

Created on ‎09-04-2024 09:36 AM Edited on ‎04-24-2025 02:04 AM By Moderator

Article Id 339071

Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate

Description

 

This article describes how to enable the private-data-encryption feature on a standalone FortiGate.

 

Scope

 

FortiGate v6.2+.

 

Solution

 

The Private Data Encryption feature on FortiGate devices is designed to enhance security by encrypting sensitive configuration data stored on the device. This feature is crucial in scenarios where preventing unauthorized access to sensitive information is essential, even in the event of physical access to the device.

 

With the Private Data Encryption feature enabled, passwords and private keys used in certificates on the FortiGate are encrypted using a predefined private key. They are encoded when displayed in the CLI and configuration files, ensuring they cannot be decrypted without the private key, and are never displayed in clear text. To restore a system from a configuration file on another FortiGate, the same private key is required.

 

By default, the Trusted Platform Module (TPM) is disabled. To enable it, set a 32-digit hexadecimal master encryption password, which encrypts sensitive data on the FortiGate using AES-128-CBC. This password is then used by TPM to generate a 2048-bit primary key, which secures the master encryption password through RSA-2048 encryption. The master encryption password protects the data, while the primary key protects the master encryption password.

Note that the TPM module does not encrypt the disk drive of eligible FortiGate devices.

 

To enable TPM and input the master‑encryption‑password:

 

config system global

    set private-data-encryption enable

end

Please type your private data encryption key (32 hexadecimal numbers):

********************************

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

********************************

Your private data encryption key is accepted.

 

Important note:

This is a 32-character user must create and input (hexadecimal = characters a,b,c,d,e,f and digits). This is not a software-generated key and may not contain special characters (execute private-encryption-key sample: this command does not create an example key for use above).

 

If forgotten, changing the private data encryption key is possible and does not prompt for the old key or password. However, this key is not saved in the configuration and cannot be shown/extracted.

 

Additional note: With the release of FortiOS v7.6.1, Fortinet improved the private-date-encryption key features. Administrators no longer have to manually enter a 32-digit hexadecimal private-data encryption key. Instead, the administrator simply enabled the command, which generates a random private-date-encryption key. 

 

Related documents:

How to verify the Private Data Encryption Feature

How to enable private data encryption in HA Cluster

How to restore a backup configuration File with the private-data encryption feature

FortiManager and the private-data-encryption feature

9470
Suggest New Article
Article Feedback
Comments
mimran
Staff
Staff
‎09-04-2024 09:51 AM

Thanks for sharing the details.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.