Fortinet black logo

Cookbook

Trusted platform module support

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:893277
Download PDF

Trusted platform module support

On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating, storing, and authenticating cryptographic keys. To help prevent tampering, the chip is soldered on the motherboard to reduce the risk of data transaction interceptions from attackers.

By default, the TPM is disabled. To enable it, you must set the 32 hexadecimal digit master‑encryption‑password which encrypts sensitive data on the FortiGate using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-password.

Note

The TPM module does not encrypt the disk drive of eligible FortiGates.

The primary key binds the encrypted configuration file to a specific FortiGate unit and never leaves the TPM. When backing up the configuration, the TPM uses the primary key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

  • If TPM is disabled, then the configuration cannot be restored.

  • If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.

  • If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Configuration backups.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

  • Alert email user's password

  • BGP and other routing related configurations

  • External resource

  • FortiGuard proxy password

  • FortiToken/FortiToken Mobile’s seed

  • HA password

  • IPsec pre-shared key

  • Link Monitor, server side password

  • Local certificate's private key

  • Local, LDAP. RADIUS, FSSO, and other user category related passwords

  • Modem/PPPoE

  • NST password

  • NTP Password

  • SDN connector, server side password

  • SNMP

  • Wireless Security related password

Note

In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations.

To check if your FortiGate device has a TPM:

Verify all the following commands exist. Otherwise, the platform does not support it.

# diagnose hardware test info
List of test cases:
    bios: sysid
    bios: checksum
    bios: license
    bios: detect

# diagnose hardware deviceinfo tpm
TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 138
TPM_PT_DAY_OF_YEAR: 8
TPM_PT_YEAR: 2018
TPM_PT_MANUFACTURER: NTC 
# diagnose hardware test tpm
=========== Fortinet Hardware Test Report ===================
TPM
TPM Device Detection.......................................... PASS
================= Fortinet Hardware Test PASSED ============== 
# diagnose tpm
get-property Get TPM properties. [Take 0-1 arg(s)]
get-var-property Get TPM var properties.
read-clock Read TPM internal clock.
shutdown-prepare Prepare for TPM power cycle.
selftest Perform self tests.
generate-random-number Generate a 4-byte random number
SHA-1 HASH a sequence of num with SHA-1 algo
SHA-256 HASH a sequence of num with SHA-256 algo
To enable TPM and input the master‑encryption‑password:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.

Trusted platform module support

On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating, storing, and authenticating cryptographic keys. To help prevent tampering, the chip is soldered on the motherboard to reduce the risk of data transaction interceptions from attackers.

By default, the TPM is disabled. To enable it, you must set the 32 hexadecimal digit master‑encryption‑password which encrypts sensitive data on the FortiGate using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-password.

Note

The TPM module does not encrypt the disk drive of eligible FortiGates.

The primary key binds the encrypted configuration file to a specific FortiGate unit and never leaves the TPM. When backing up the configuration, the TPM uses the primary key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

  • If TPM is disabled, then the configuration cannot be restored.

  • If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.

  • If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Configuration backups.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

  • Alert email user's password

  • BGP and other routing related configurations

  • External resource

  • FortiGuard proxy password

  • FortiToken/FortiToken Mobile’s seed

  • HA password

  • IPsec pre-shared key

  • Link Monitor, server side password

  • Local certificate's private key

  • Local, LDAP. RADIUS, FSSO, and other user category related passwords

  • Modem/PPPoE

  • NST password

  • NTP Password

  • SDN connector, server side password

  • SNMP

  • Wireless Security related password

Note

In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations.

To check if your FortiGate device has a TPM:

Verify all the following commands exist. Otherwise, the platform does not support it.

# diagnose hardware test info
List of test cases:
    bios: sysid
    bios: checksum
    bios: license
    bios: detect

# diagnose hardware deviceinfo tpm
TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 138
TPM_PT_DAY_OF_YEAR: 8
TPM_PT_YEAR: 2018
TPM_PT_MANUFACTURER: NTC 
# diagnose hardware test tpm
=========== Fortinet Hardware Test Report ===================
TPM
TPM Device Detection.......................................... PASS
================= Fortinet Hardware Test PASSED ============== 
# diagnose tpm
get-property Get TPM properties. [Take 0-1 arg(s)]
get-var-property Get TPM var properties.
read-clock Read TPM internal clock.
shutdown-prepare Prepare for TPM power cycle.
selftest Perform self tests.
generate-random-number Generate a 4-byte random number
SHA-1 HASH a sequence of num with SHA-1 algo
SHA-256 HASH a sequence of num with SHA-256 algo
To enable TPM and input the master‑encryption‑password:
config system global
    set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.