Description
This article describes how to verify the 'private data encryption' option also known as 'Secure password storage'.
Scope
FortiGate.
Solution
The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file.
Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file.
In an HA cluster, the same key should be used on all of the units.
FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM.
After configuring the custom 32 characters hexadecimal private data encryption key, use the following command to properly test the feature.
exec private-encryption-key sample
Example of successful activation:
exec private-encryption-key sample
B64TEXT: oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I=
B64HMAC: /4e77yCRzi6hunROBDm+/97bthc=
Not Enabled:
exec private-encryption-key sample
Private encryption is not enabled.
Command fail. Return code 7
Note down the B64TEXT and B64HMAC sample keys above;
Then run the command below to verify the feature:
exec private-encryption-key verify <B64TEXT> <B64HMAC>
exec private-encryption-key verify oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I= /4e77yCRzi6hunROBDm+/97bthc=
Verification passed.
or
get system status | grep "Private Encryption"
Private Encryption: Enable
Passwords and keys that can be encrypted by the master‑encryption‑key include:
Alternatively, download a backup after enabling the master‑encryption‑key and verify that the items above are encrypted and cannot be read or decrypted without the master key.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.