Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Setting encryption keys

    Setting encryption keys

    Before the FortiDLP Agent transfers a shadow copy to your storage location, it encrypts it to add an additional layer of protection. To do this, the Agent requires an encryption key.

    You will need to generate at least one encryption key using the FortiDLP Decryption Tool. An encryption key has a public and private component:

    • The public key must be specified in the FortiDLP Console to be accessible by the FortiDLP Agent for encryption.
    • The private key must be kept in a safe location, only accessible to operators who should decrypt shadow copies. When you generate an encryption key using the FortiDLP Decryption Tool Extension, the private key is automatically encrypted and secured in the tool within a passphrase-protected vault. When you generate an encryption key using the FortiDLP Decryption CLI Tool, the private key is saved in your home directory by default (detailed below), and we advise implementing internal security measures like access control and logging to protect it.

    Refer to the following instructions when setting encryption keys using either the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool.

    How to set an encryption key using the FortiDLP Decryption Tool Extension
    1. On your browser's menu bar, click the icon and launch the FortiDLP Decryption Tool Extension.
    2. In the New passphrase field, type a passphrase.
      3. Note

      Your passphrase must contain at least 12 characters. It is also recommended that it:

      • contains a mixture of uppercase and lowercase letters, numbers, and special characters
      • is complex (avoid strings of repeated characters)
      • is unique (avoid reusing passphrases).

      Remember this passphrase, as you will need it every time you use the FortiDLP Decryption Tool Extension.
    3. In the Confirm passphrase field, type your passphrase again.
    4. Click OK.
    5. Do one of the following:
      • If this is your first time decrypting shadow copies, to generate a new key:
        1. Click Generate a new key.
          Your key pair is generated.
        2. Click Copy to copy the public key.
          3. Tooltip

          From here, you can also optionally export the public key to a PEM file by clicking Export.

        3. Log in to the FortiDLP Console.
        4. On the left-hand sidebar, click .
        5. Under Integrations, select the File shadowing tab.
        6. In the Encryption keys section, click Add key.
        7. In the Add new encryption key dialog box:
          1. In the Name field, type a key name that will help you associate your private key with the public key.
          2. In the Public key field, paste your public key.
          3. Click Save.
      • If you have decrypted shadow copies before using the FortiDLP Decryption CLI Tool, to import your existing key:
        1. Click Import an existing key.
        2. Select your existing private key file.
          3. Note

          By default, on Windows, the private key file is saved in C:/Users/<user>/.reveal-decryption-key/key. On macOS and Linux, the private key file is saved in ~/.reveal-decryption-tool/key.

        3. In the Passphrase field, type the FortiDLP Decryption CLI Tool passphrase you chose to protect the key (not your browser extension passphrase) and then click OK.
        4. If you have not already added the public key to the FortiDLP Console, do the following:
          1. Click Copy to copy the public key.
          2. Log in to the FortiDLP Console.
          3. On the left-hand sidebar, click .
          4. Under Integrations, select the File shadowing tab.
          5. In the Encryption keys section, click Add key.
          6. In the Add new encryption key dialog box:
            1. In the Name field, type a key name that will help you associate your private key with the public key.
            2. In the Public key field, paste your public key.
            3. Click Save.
    Caution

    If you forget your FortiDLP Decryption Tool Extension passphrase, you will lose access to all private keys stored in the tool and files that were encrypted using such keys. Fortinet cannot recover passphrases and private keys. If needed, you can view an existing public key in the FortiDLP Console. The FortiDLP Decryption Tool Extension also allows you to export keys for backup.

    After you configure at least one encryption key, proceed to Enabling policies with file shadowing.

    For details on managing keys, see Rotating encryption keys and Deleting encryption keys.

    How to set an encryption key using the FortiDLP Decryption CLI Tool
    1. Open a CLI.
    2. Go to the directory containing the FortiDLP Decryption CLI Tool binary.
    3. Do one of the following:
      • On Windows, run the command reveal-decryption-tool.exe keygen.
      • On macOS or Linux, run the command ./reveal-decryption-tool keygen.
    4. Type a passphrase and then press Enter.
      5. Note

      Your passphrase must:

      • contain at least 15 characters
      • contain a mixture of uppercase and lowercase letters, numbers, and special characters
      • be complex (avoid strings of repeated characters)
      • be unique (avoid reusing passphrases).

      Remember this passphrase, as you will need it every time you use the FortiDLP Decryption CLI Tool.

      Your key pair is generated.

    5. Store the private key in a safe location and copy the public key.
    6. Log in to the FortiDLP Console.
    7. On the left-hand sidebar, click .
    8. Under Integrations, select the File shadowing tab.
    9. In the Encryption keys section, click Add key.
    10. In the Add encryption key dialog box, do the following:
      1. In the Name field, type a key name that will help you associate your private key with the public key.
      2. In the Public key field, paste your public key.
      3. Click Save.
    Note

    By default, on Windows, the private key file is saved in C:/Users/<user>/.reveal-decryption-key/key. On macOS and Linux, the private key file is saved in ~/.reveal-decryption-tool/key.
    Caution

    If you lose your private key or forget your FortiDLP Decryption CLI Tool passphrase, you will lose access to all files that were encrypted using that key. Fortinet cannot recover private keys and passphrases. If needed, you can view an existing public key in the FortiDLP Console or by running the export command when using the FortiDLP Decryption CLI Tool.

    After you configure at least one encryption key, proceed to Enabling policies with file shadowing.

    For details on deleting unwanted keys, see Deleting encryption keys.

    Previous
    Next

    Setting encryption keys

    Setting encryption keys

    Before the FortiDLP Agent transfers a shadow copy to your storage location, it encrypts it to add an additional layer of protection. To do this, the Agent requires an encryption key.

    You will need to generate at least one encryption key using the FortiDLP Decryption Tool. An encryption key has a public and private component:

    • The public key must be specified in the FortiDLP Console to be accessible by the FortiDLP Agent for encryption.
    • The private key must be kept in a safe location, only accessible to operators who should decrypt shadow copies. When you generate an encryption key using the FortiDLP Decryption Tool Extension, the private key is automatically encrypted and secured in the tool within a passphrase-protected vault. When you generate an encryption key using the FortiDLP Decryption CLI Tool, the private key is saved in your home directory by default (detailed below), and we advise implementing internal security measures like access control and logging to protect it.

    Refer to the following instructions when setting encryption keys using either the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool.

    How to set an encryption key using the FortiDLP Decryption Tool Extension
    1. On your browser's menu bar, click the icon and launch the FortiDLP Decryption Tool Extension.
    2. In the New passphrase field, type a passphrase.
      3. Note

      Your passphrase must contain at least 12 characters. It is also recommended that it:

      • contains a mixture of uppercase and lowercase letters, numbers, and special characters
      • is complex (avoid strings of repeated characters)
      • is unique (avoid reusing passphrases).

      Remember this passphrase, as you will need it every time you use the FortiDLP Decryption Tool Extension.
    3. In the Confirm passphrase field, type your passphrase again.
    4. Click OK.
    5. Do one of the following:
      • If this is your first time decrypting shadow copies, to generate a new key:
        1. Click Generate a new key.
          Your key pair is generated.
        2. Click Copy to copy the public key.
          3. Tooltip

          From here, you can also optionally export the public key to a PEM file by clicking Export.

        3. Log in to the FortiDLP Console.
        4. On the left-hand sidebar, click .
        5. Under Integrations, select the File shadowing tab.
        6. In the Encryption keys section, click Add key.
        7. In the Add new encryption key dialog box:
          1. In the Name field, type a key name that will help you associate your private key with the public key.
          2. In the Public key field, paste your public key.
          3. Click Save.
      • If you have decrypted shadow copies before using the FortiDLP Decryption CLI Tool, to import your existing key:
        1. Click Import an existing key.
        2. Select your existing private key file.
          3. Note

          By default, on Windows, the private key file is saved in C:/Users/<user>/.reveal-decryption-key/key. On macOS and Linux, the private key file is saved in ~/.reveal-decryption-tool/key.

        3. In the Passphrase field, type the FortiDLP Decryption CLI Tool passphrase you chose to protect the key (not your browser extension passphrase) and then click OK.
        4. If you have not already added the public key to the FortiDLP Console, do the following:
          1. Click Copy to copy the public key.
          2. Log in to the FortiDLP Console.
          3. On the left-hand sidebar, click .
          4. Under Integrations, select the File shadowing tab.
          5. In the Encryption keys section, click Add key.
          6. In the Add new encryption key dialog box:
            1. In the Name field, type a key name that will help you associate your private key with the public key.
            2. In the Public key field, paste your public key.
            3. Click Save.
    Caution

    If you forget your FortiDLP Decryption Tool Extension passphrase, you will lose access to all private keys stored in the tool and files that were encrypted using such keys. Fortinet cannot recover passphrases and private keys. If needed, you can view an existing public key in the FortiDLP Console. The FortiDLP Decryption Tool Extension also allows you to export keys for backup.

    After you configure at least one encryption key, proceed to Enabling policies with file shadowing.

    For details on managing keys, see Rotating encryption keys and Deleting encryption keys.

    How to set an encryption key using the FortiDLP Decryption CLI Tool
    1. Open a CLI.
    2. Go to the directory containing the FortiDLP Decryption CLI Tool binary.
    3. Do one of the following:
      • On Windows, run the command reveal-decryption-tool.exe keygen.
      • On macOS or Linux, run the command ./reveal-decryption-tool keygen.
    4. Type a passphrase and then press Enter.
      5. Note

      Your passphrase must:

      • contain at least 15 characters
      • contain a mixture of uppercase and lowercase letters, numbers, and special characters
      • be complex (avoid strings of repeated characters)
      • be unique (avoid reusing passphrases).

      Remember this passphrase, as you will need it every time you use the FortiDLP Decryption CLI Tool.

      Your key pair is generated.

    5. Store the private key in a safe location and copy the public key.
    6. Log in to the FortiDLP Console.
    7. On the left-hand sidebar, click .
    8. Under Integrations, select the File shadowing tab.
    9. In the Encryption keys section, click Add key.
    10. In the Add encryption key dialog box, do the following:
      1. In the Name field, type a key name that will help you associate your private key with the public key.
      2. In the Public key field, paste your public key.
      3. Click Save.
    Note

    By default, on Windows, the private key file is saved in C:/Users/<user>/.reveal-decryption-key/key. On macOS and Linux, the private key file is saved in ~/.reveal-decryption-tool/key.
    Caution

    If you lose your private key or forget your FortiDLP Decryption CLI Tool passphrase, you will lose access to all files that were encrypted using that key. Fortinet cannot recover private keys and passphrases. If needed, you can view an existing public key in the FortiDLP Console or by running the export command when using the FortiDLP Decryption CLI Tool.

    After you configure at least one encryption key, proceed to Enabling policies with file shadowing.

    For details on deleting unwanted keys, see Deleting encryption keys.

    Previous
    Next