FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lcamilo
Staff
Staff

Description

 

This article describes how to verify the 'private data encryption' option also known as 'Secure password storage'. 

Scope

 

The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file.

Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file.

In an HA cluster, the same key should be used on all of the units.
FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM. 

 

Solution

 

After configuring the custom 32 characters hexadecimal private data encryption key, use the following command to properly test the feature.

 

# exec private-encryption-key sample

 

Example of successful activation:


# exec private-encryption-key sample
B64TEXT: oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I=
B64HMAC: /4e77yCRzi6hunROBDm+/97bthc=

 

Not Enabled:


# exec private-encryption-key sample
Private encryption is not enabled.
Command fail. Return code 7

 

 

Note down the B64TEXT and B64HMAC sample keys above;

Then run the command below to verify the feature: 

 

# exec private-encryption-key verify <B64TEXT> <B64HMAC>

# exec private-encryption-key verify oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I= /4e77yCRzi6hunROBDm+/97bthc=
Verification passed.

or 

# get system status | grep "Private Encryption"
Private Encryption: Enable

Passwords and keys that can be encrypted by the master‑encryption‑key include:

 

- Admin password.

- Alert email user's password.

- BGP and other routing-related configurations.

- External resource.

- FortiGuard proxy password.

- FortiToken/FortiToken Mobile’s seed.

- HA password.

- IPsec pre-shared key.

- Link Monitor, server-side password.

- Local certificate's private key.

- Local, LDAP. RADIUS, FSSO, and other user category-related passwords.

- Modem/PPPoE.

- NST password.

- NTP Password.

- SDN connector, server-side password.

- SNMP.

- Wireless Security related password.

 

Alternatively, download a backup after enabling the master‑encryption‑key and verify that the items above are encrypted and can't be read or decrypted without the master key. 

 

Related Articles.

 

- FOS 6.2.9 Trusted platform module support

- FOS 7.2.0 Hardening and Best Practices

- Enable private-data-encryption in HA cluster

- How to restore a backup configuration file with private-data-encryption enable

- https://www.fortiguard.com/psirt/FG-IR-19-007

Contributors