Trusted platform module support
On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating, storing, and authenticating cryptographic keys. To help prevent tampering, the chip is soldered on the motherboard to reduce the risk of data transaction interceptions from attackers.
By default, the TPM is disabled. To enable it, you must set the 32 hexadecimal digit master‑encryption‑password which encrypts sensitive data on the FortiGate using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-password.
The TPM module does not encrypt the disk drive of eligible FortiGates. |
The primary key binds the encrypted configuration file to a specific FortiGate unit and never leaves the TPM. When backing up the configuration, the TPM uses the primary key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:
-
If TPM is disabled, then the configuration cannot be restored.
-
If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.
-
If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.
For information on backing up and restoring the configuration, see Configuration backups.
Passwords and keys that can be encrypted by the master‑encryption‑key include:
-
Alert email user's password
-
BGP and other routing related configurations
-
External resource
-
FortiGuard proxy password
-
FortiToken/FortiToken Mobile’s seed
-
HA password
-
IPsec pre-shared key
-
Link Monitor, server side password
-
Local certificate's private key
-
Local, LDAP. RADIUS, FSSO, and other user category related passwords
-
Modem/PPPoE
-
NST password
-
NTP Password
-
SDN connector, server side password
-
SNMP
-
Wireless Security related password
In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations. |
To check if your FortiGate device has a TPM:
Verify all the following commands exist. Otherwise, the platform does not support it.
# diagnose hardware test info List of test cases: bios: sysid bios: checksum bios: license bios: detect # diagnose hardware deviceinfo tpm TPM capability information of fixed properties: ========================================================= TPM_PT_FAMILY_INDICATOR: 2.0 TPM_PT_LEVEL: 0 TPM_PT_REVISION: 138 TPM_PT_DAY_OF_YEAR: 8 TPM_PT_YEAR: 2018 TPM_PT_MANUFACTURER: NTC # diagnose hardware test tpm =========== Fortinet Hardware Test Report =================== TPM TPM Device Detection.......................................... PASS ================= Fortinet Hardware Test PASSED ============== # diagnose tpm get-property Get TPM properties. [Take 0-1 arg(s)] get-var-property Get TPM var properties. read-clock Read TPM internal clock. shutdown-prepare Prepare for TPM power cycle. selftest Perform self tests. generate-random-number Generate a 4-byte random number SHA-1 HASH a sequence of num with SHA-1 algo SHA-256 HASH a sequence of num with SHA-256 algo
To enable TPM and input the master‑encryption‑password:
config system global set private-data-encryption enable end Please type your private data encryption key (32 hexadecimal numbers): ******************************** Please re-enter your private data encryption key (32 hexadecimal numbers) again: ******************************** Your private data encryption key is accepted.