FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 214124



This article describes how to verify the 'private data encryption' option also known as 'Secure password storage'. 







The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file.

In an HA cluster, the same key should be used on all of the units.
FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM. 


After configuring the custom 32 characters hexadecimal private data encryption key, use the following command to properly test the feature.


exec private-encryption-key sample


Example of successful activation:

exec private-encryption-key sample
B64TEXT: oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I=
B64HMAC: /4e77yCRzi6hunROBDm+/97bthc=


Not Enabled:

exec private-encryption-key sample
Private encryption is not enabled.
Command fail. Return code 7



Note down the B64TEXT and B64HMAC sample keys above;

Then run the command below to verify the feature: 


exec private-encryption-key verify <B64TEXT> <B64HMAC>

exec private-encryption-key verify oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I= /4e77yCRzi6hunROBDm+/97bthc=
Verification passed.




get system status | grep "Private Encryption"
Private Encryption: Enable

Passwords and keys that can be encrypted by the master‑encryption‑key include:


  • Alert email user's password.
  • BGP and other routing-related configurations.
  • External resource.
  • FortiGuard proxy password.
  • FortiToken/FortiToken Mobile’s seed.
  • HA password.
  • IPsec pre-shared key.
  • Link Monitor, server-side password.
  • Local certificate's private key.
  • Local, LDAP. RADIUS, FSSO, and other user category-related passwords.
  • Modem/PPPoE.
  • NST password.
  • NTP Password.
  • SDN connector, server-side password.
  • SNMP.
  • Wireless Security related password.


Alternatively, download a backup after enabling the master‑encryption‑key and verify that the items above are encrypted and cannot be read or decrypted without the master key. 


Related articles: