FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lcamilo
Staff
Staff
Article Id 214124

Description

 

This article describes how to verify the 'private data encryption' option also known as 'Secure password storage'. 

Scope

 

FortiGate.

 

Solution

 

The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file.

In an HA cluster, the same key should be used on all of the units.
FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM. 

 

After configuring the custom 32 characters hexadecimal private data encryption key, use the following command to properly test the key generation:

 

exec private-encryption-key sample

 

Note: 

This does not generate an example key that can be used. This only tests the functionality of the existing key that was set up.

 

Example of successful activation:


exec private-encryption-key sample
B64TEXT: oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I=
B64HMAC: /4e77yCRzi6hunROBDm+/97bthc=

 

Not Enabled:


exec private-encryption-key sample
Private encryption is not enabled.
Command fail. Return code 7

 

 

Note down the B64TEXT and B64HMAC sample keys above. Then run the command below to verify the feature: 

 

exec private-encryption-key verify <B64TEXT> <B64HMAC>

exec private-encryption-key verify oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I= /4e77yCRzi6hunROBDm+/97bthc=
Verification passed.

 

or 

 

get system status | grep "Private Encryption"
Private Encryption: Enable

Passwords and keys that can be encrypted by the master‑encryption‑key include:

 

  • Alert email user's password.
  • BGP and other routing-related configurations.
  • External resource.
  • FortiGuard proxy password.
  • FortiToken/FortiToken Mobile’s seed.
  • HA password.
  • IPsec pre-shared key.
  • Link Monitor, server-side password.
  • Local certificate's private key.
  • Local, LDAP. RADIUS, FSSO, and other user category-related passwords.
  • Modem/PPPoE.
  • NST password.
  • NTP Password.
  • SDN connector, server-side password.
  • SNMP.
  • Wireless Security related password.

 

Alternatively, download a backup after enabling the master‑encryption‑key and verify that the items above are encrypted and cannot be read or decrypted without the master key. 

 

Related articles:

Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate

Technical Tip: Enable private-data-encryption in HA cluster

FOS 6.2.9 Trusted platform module support.

FOS 7.2.0 Hardening and Best Practices.

How to restore a backup configuration file with private-data-encryption enable.

Use of a hard-coded cryptographic key to cipher sensitive data in CLI configuration.