Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ESCHAN_FTNT
Staff
Staff

Created on ‎08-02-2019 05:29 AM Edited on ‎12-16-2024 10:01 PM By Community Manager

Article Id 195668

Technical Tip: How to restore a backup configuration file with private-data-encryption enable?

Description


This article explains how to restore a backup configuration file with private-data-encryption enable, especially when the device has been factory-reset or replaced due to hardware failure.

 

Scope

 

FortiGate.

Solution


Enabling private-data-encryption allows greater encryption on the downloaded configuration file. User will have to supply with a 32 digits hexadecimal encryption key. In below example, private-data-encryption is enable with private key of 0123456789abcdef0123456789abcdef:


#Myvi-kvm21 # config system global
Myvi-kvm21 (global) # set private-data-encryption enable
Myvi-kvm21 (global) # end

Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef


Private data encryption key is accepted.


Myvi-kvm21 #

Backup and restoring configuration file after enabling private-data-encryption is the same as before on this specific FortiGate unit with existing configuration.

In the event that the current unit accidentally factory-reset or hardware failure resulting a change of hardware, restoring the backup configuration file will cause all encrypted passwords (except system admin) lost.


Below is the config file error in the console upon booting up:

 

Initializing firewall...
System is starting...
The config file may contain errors,
Please see details by the command 'diagnose debug config-error-log read'

Myvi-kvm21  login: admin
Password:
Welcome !

Myvi-kvm21 #
Myvi-kvm21 #diagnose debug config-error-log read


>>>  "set" "password" "ENC" "qO9BAPwPxcxcqTyPPZW+0gARH9M5l5kX/GzraBngXVH8FjY3W7KaRFj5nh9H1HVi5jO782uQafQXwmWT5KLpAy5V7upwEjJ28Kb ... @ 3386:vpn.certificate.local.Fortinet_SSL_DSA1024:value parse error (error -1)
>>>  "set" "password" "ENC" "obdYGqPnvT9V64HsxfAJhNT7VXYruL4MKHu+9WOY9ITiN4SvORcApBIFhzn64dzW/lI19obx7TUPpXnYEUJwuwbCRvHDhlYkzVK ... @ 3425:vpn.certificate.local.Fortinet_SSL_DSA2048:value parse error (error -1)
>>>  "set" "password" "ENC" "r+p5NxxzUFK6O8a0M3xxMJHqGvtXo6DmO2gcGAWrWXh4Iju2YBcnZYYR5kO+Hk7hcdWZgXHvkjVrWH0FBjklVCoIRQm9BHeY3iG ... @ 3508:vpn.certificate.local.Fortinet_SSL_ECDSA384:value parse error (error -1)
>>>  "set" "passwd" "ENC" "lzGCMBfrodsURT1xCHtj5nq5cSlnXM3zp6Ct2lnp51h8MHZVWtS9YWvLm4853xPPRJ4oXJ4pB+m6FWHkh65wTqg18C/V0t7BksuV4 ... @ 3924:user.local.guest:value parse error (error -1)
>>>  "set" "passwd" "ENC" "cRBllqO+/pVb8WdD68zZ/VjWSDGy8dPLcjdqFlkjsk1FkXj4p8DZDtockrn1GN5SVZ3PRYN75s2DxihBbUK/xeB3BxSqpuDB23BxA ... @ 3929:user.local.user1:value parse error (error -1)
>>>  "set" "psksecret" "ENC" "MjuFtXONDH83enX3ngZfbU5RjIK+x8D20codXMiYrlZQd2sHFG5OcEV37RqaVVJ7qhX+qrGusv9Zc8COfu2grKkKuxRCfx1b+D ... @ 4247:vpn.ipsec.phase1-interface.Alza-KVM36:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAG5mb1ysTHs/uN+44m+X7JQkftWaq37M9CNbv4rZIxTJcoJ/NfbH5VCR4pkZefI8/uXhnlKXKKpCZa4b9YQbkd+T2GMkBe9 ... @ 5764:firewall.ssh.local-key.Fortinet_SSH_RSA2048:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAK0XE9tZWVVyYj7YYwtmgczJ3Ne2MQ219Zc3V8oyG72zmB0a39ZhbRLES6rv0SrRNI4kxLvC6laqP0uRGJmkHUzSId5WR/b ... @ 5798:firewall.ssh.local-key.Fortinet_SSH_DSA1024:value parse error (error -1)
>>>  "set" "password" "ENC" "fwAAAEoa7GRu/hu3xCusPXdABnhOplM3L6x3muplV+e0kteSYyYYzBMOai5IvBDjkd+/7eHj0h0bvb/2cDRe1Hp/PyYd0cmMDCb ... @ 5825:firewall.ssh.local-key.Fortinet_SSH_ECDSA256:value parse error (error -1)
>>>  "set" "password" "ENC" "AAAAAb1LCwnuHcdxKkzDdvGBPryAfgMkF72Eh5vKPHq7TKidFPYLhpv3oDlFzccu/4gs6PeIoAKI4ZVu5M0PFSZj0xnROnFYXq7 ... @ 5925:firewall.ssh.local-ca.Fortinet_SSH_CA_Untrusted:value parse error (error -1)

To restore the configuration on a factory-reset or another FortiGate unit, the user will have to set the private key first before restoring the configuration file.


#Myvi-kvm21 # config system global
Myvi-kvm21 (global) # set private-data-encryption enable
Myvi-kvm21 (global) # end

Please type your private data encryption key (32 hexadecimal numbers):
0123456789abcdef0123456789abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
0123456789abcdef0123456789abcdef


The private data encryption key is accepted.

After the same private data encryption key is entered, the configuration file can be restored as usual.

 

Restoring the backup config without first setting the private key will result in the below error in the GUI:
'The configuration was encrypted with a private encryption key but encryption is not enabled. Required: Enable private-data-encryption under system global.'

Labels:
15122
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.