Description
This article describes how to verify the 'private data encryption' option also known as 'Secure password storage'.
Scope
FortiGate.
Solution
The passwords, and private keys used in certificates, that are stored on the FortiGate are encrypted using a predefined private key and encoded when displayed in the CLI and configuration file.
Passwords cannot be decrypted without the private key and are not shown anywhere in clear text. The private key is required on other FortiGates to restore the system from a configuration file.
In an HA cluster, the same key should be used on all of the units.
FortiGate models with a Trusted Platform Module (TPM) can store the master encryption password, which is used to generate the master encryption key, on the TPM.
After configuring the custom 32 characters hexadecimal private data encryption key, use the following command to properly test the key generation:
exec private-encryption-key sample
Note:
This does not generate an example key that can be used. This only tests the functionality of the existing key that was set up.
Example of successful activation:
exec private-encryption-key sample
B64TEXT: oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I=
B64HMAC: /4e77yCRzi6hunROBDm+/97bthc=
Not Enabled:
exec private-encryption-key sample
Private encryption is not enabled.
Command fail. Return code 7
Note down the B64TEXT and B64HMAC sample keys above. Then run the command below to verify the feature:
exec private-encryption-key verify <B64TEXT> <B64HMAC>
exec private-encryption-key verify oR3J+DhKPF4xSFDZv43o/pkRBCTop+4w1IU8OEaLh5I= /4e77yCRzi6hunROBDm+/97bthc=
Verification passed.
or
get system status | grep "Private Encryption"
Private Encryption: Enable
Passwords and keys that can be encrypted by the master‑encryption‑key include:
Alternatively, download a backup after enabling the master‑encryption‑key and verify that the items above are encrypted and cannot be read or decrypted without the master key.
Related articles:
Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate
Technical Tip: Enable private-data-encryption in HA cluster
FOS 6.2.9 Trusted platform module support.
FOS 7.2.0 Hardening and Best Practices.
How to restore a backup configuration file with private-data-encryption enable.
Use of a hard-coded cryptographic key to cipher sensitive data in CLI configuration.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.