Fortinet black logo

Cookbook

Trusted platform module support

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:893277
Download PDF

Trusted platform module support

On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating, storing, and authenticating cryptographic keys.

By default, the TPM is disabled. To enable it, you must set the 32 hexadecimal digit master‑encryption‑password. The TPM protects the master‑encryption‑password, and uses it to generate a master‑encryption‑key. The key is also protected by the TPM, and used to encrypt and decrypt users' passwords. The TPM does not directly encrypt, decrypt, or store users' passwords.

When backing up the configuration, the TPM uses the master encryption key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

  • If TPM is not enabled, then the configuration cannot be restored.

  • If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.

  • If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Configuration backups.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

  • Alert email user's password

  • BGP and other routing related configurations

  • External resource

  • FortiGuard proxy password

  • FortiToken/FortiToken Mobile’s seed

  • HA password

  • IPsec pre-shared key

  • Link Monitor, server side password

  • Local certificate's private key

  • local, LDAP. RADIUS, FSSO, and other user category related passwords

  • Modem/PPPoE

  • NST password

  • NTP Password

  • SDN connector, server side password

  • SNMP

  • Wireless Security related password

Note

In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations.

To check if your FortiGate device has a TPM:
# diagnose hardware deviceinfo tpm

or

# diagnose hardware test tpm

=========== Fortinet Hardware Test Report ===================

TPM

  TPM Device Detection.......................................... PASS

================= Fortinet Hardware Test PASSED ==============
To enable TPM and input the master‑encryption‑password:
config system global
    set private-data-encryption enable
end

Please type your private data encryption key (32 hexadecimal numbers):
1234567890abcdef1234567890abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
1234567890abcdef1234567890abcdef
Your private data encryption key is accepted.

Trusted platform module support

On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating, storing, and authenticating cryptographic keys.

By default, the TPM is disabled. To enable it, you must set the 32 hexadecimal digit master‑encryption‑password. The TPM protects the master‑encryption‑password, and uses it to generate a master‑encryption‑key. The key is also protected by the TPM, and used to encrypt and decrypt users' passwords. The TPM does not directly encrypt, decrypt, or store users' passwords.

When backing up the configuration, the TPM uses the master encryption key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

  • If TPM is not enabled, then the configuration cannot be restored.

  • If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.

  • If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Configuration backups.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

  • Alert email user's password

  • BGP and other routing related configurations

  • External resource

  • FortiGuard proxy password

  • FortiToken/FortiToken Mobile’s seed

  • HA password

  • IPsec pre-shared key

  • Link Monitor, server side password

  • Local certificate's private key

  • local, LDAP. RADIUS, FSSO, and other user category related passwords

  • Modem/PPPoE

  • NST password

  • NTP Password

  • SDN connector, server side password

  • SNMP

  • Wireless Security related password

Note

In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations.

To check if your FortiGate device has a TPM:
# diagnose hardware deviceinfo tpm

or

# diagnose hardware test tpm

=========== Fortinet Hardware Test Report ===================

TPM

  TPM Device Detection.......................................... PASS

================= Fortinet Hardware Test PASSED ==============
To enable TPM and input the master‑encryption‑password:
config system global
    set private-data-encryption enable
end

Please type your private data encryption key (32 hexadecimal numbers):
1234567890abcdef1234567890abcdef
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
1234567890abcdef1234567890abcdef
Your private data encryption key is accepted.