Fortinet white logo
Fortinet white logo

Administration Guide

TPM support for FortiGate-VM

TPM support for FortiGate-VM

Using the TPM module, the FortiGate can generate, store, and authenticate cryptographic keys. When TPM is enabled on a FortiGate, the admin must set a 32-digit hexadecimal master-encryption-password to encrypt sensitive data on the FortiGate such as admin passwords, IPsec VPN preshared keys (PSK), and other passwords and keys as this document lists. In turn, a TPM-generated primary key, which is stored on the TPM, encrypts this master-encryption-passsword.

When the FortiGate backs up configurations to a configuration file, the master-encryption-password encrypts passwords and keys. The primary key also encrypts the master-encryption-password. Therefore, when restoring a config file, if the FortiGate unit does not have TPM enabled, or does not have the same master-encryption-key, you cannot upload the configuration file.

This enhancement adds TPM support to FGT-VM64 platforms. Hypervisors with software TPM emulator packages installed can support the TPM feature in FortiOS. This feature supports KVM/QEMU.

For information about TPM, see Trusted platform module support.

Passwords and keys that the masterencryptionkey can encrypt include:

  • Alert email user password
  • BGP and other routing-related configurations
  • External resource
  • FortiGuard proxy password
  • FortiToken/FortiToken Mobile seed
  • High availability password
  • Link Monitor server-side password
  • IPsec VPN PSK
  • Local certificate private key
  • SDN connector server-side password
  • Local, LDAP, RADIUS, FSSO, and other user category-related passwords
  • Modem/PPPoE
  • NST password
  • NTP Password
  • SNMP
  • Wireless security-related password

You cannot restore a private key-encrypted configuration via the FortiOS GUI if private-data-encryption is disabled. The following shows the GUI in this scenario:

To check if your FortiGate has a TPM:
  1. Verify that the required packages are installed on the Linux KVM host:
    packet@kvm-s01:~$ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 22.04.1 LTS
    Release:	22.04
    Codename:	jammy
    packet@kvm-s01:~$
    packet@kvm-s01:~$ apt list swtpm swtpm-tools qemu libvirt0 virtinst
    Listing... Done
    libvirt0/jammy-updates,jammy-updates,now 8.0.0-1ubuntu7.1 amd64 [installed,automatic]
    qemu/jammy-updates,jammy-updates,now 1:6.2+dfsg-2ubuntu6.3 amd64 [installed]
    swtpm-tools/jammy,jammy,now 0.6.3-0ubuntu3 amd64 [installed]
    swtpm/jammy,jammy,now 0.6.3-0ubuntu3 amd64 [installed]
    virtinst/jammy,jammy,jammy,jammy,now 1:4.0.0-1 all [installed]
    
  2. Import a FGT_VM64_KVM VM to the host. You may want to change the following script to fit your setup:
    UUID="$(uuid)"
    SKU="FGT_VM64_KVM"
    VER=7
    NUM=0418
    CPU=2
    RAM=2048
    CONTROLLER="type=ide,index=0"
    BUS="ide"
    MODEL="virtio"
    RND_MAC() { printf '90:6C:AC:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256)) ;}
    MACADDR=$(RND_MAC)
    DOMAIN=$SKU-v$VER-b$NUM
    
    qemu-img create -f qcow2 $DOMAIN-log.qcow2 1024M
    qemu-img create -f qcow2 $DOMAIN-wanopt.qcow2 1024M
    
    virt-install --connect qemu:///system \
    	--name $DOMAIN \
    	--uuid $UUID \
    	--virt-type kvm \
    	--arch=x86_64 \
    	--hvm \
    	--osinfo linux \
    	--os-variant=generic \
    	--graphics vnc,listen=0.0.0.0 --noautoconsole \
    	--cpu host-passthrough \
    	--vcpus=$CPU \
    	--ram $RAM \
    	--sysinfo host \
    	--controller $CONTROLLER \
    	--boot hd,menu=on \
    	--disk fortios.qcow2,device=disk,bus=$BUS,format=qcow2,cache=none,io=native \
    	--disk $DOMAIN-log.qcow2,device=disk,bus=$BUS,format=qcow2,cache=none,io=native \
    	--disk $DOMAIN-wanopt.qcow2,device=disk,bus=$BUS,format=qcow2,cache=none,io=native \
    	--features kvm_hidden=on,smm=on \
    	--tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \
    	--network bridge=br1,model=$MODEL,mac=$MACADDR:01 \
    	--network bridge=br2,model=$MODEL,mac=$MACADDR:02 \
    	--network bridge=br3,model=$MODEL,mac=$MACADDR:03 \
    	--network bridge=br4,model=$MODEL,mac=$MACADDR:04 \
    	--import
    

    Key pairs are created on the host when the VM with TPM is imported:

    packet@kvm-s01:~$ sudo ls -al /var/lib/swtpm-localca/
    total 56
    drwxr-x---  2 swtpm root  4096 Sep 21 08:09 .
    drwxr-xr-x 49 root  root  4096 Sep 19 12:42 ..
    -rwxr-xr-x  1 swtpm swtpm    0 Sep 21 08:09 .lock.swtpm-localca
    -rw-r--r--  1 swtpm swtpm 5519 Sep 21 08:09 01.pem
    -rw-r--r--  1 swtpm swtpm    1 Sep 21 08:19 certserial
    -rw-r--r--  1 swtpm swtpm   48 Sep 21 08:09 index.txt
    -rw-r--r--  1 swtpm swtpm   21 Sep 21 08:09 index.txt.attr
    -rw-r--r--  1 swtpm swtpm    0 Sep 21 08:09 index.txt.old
    -rw-r--r--  1 swtpm swtpm 5519 Sep 21 08:09 issuercert.pem
    -rw-r--r--  1 swtpm swtpm    3 Sep 21 08:09 serial
    -rw-r--r--  1 swtpm swtpm    3 Sep 21 08:09 serial.old
    -rw-r-----  1 swtpm swtpm 2459 Sep 21 08:09 signkey.pem
    -rw-r--r--  1 swtpm swtpm 1468 Sep 21 08:09 swtpm-localca-rootca-cert.pem
    -rw-r-----  1 swtpm swtpm 2459 Sep 21 08:09 swtpm-localca-rootca-privkey.pem
    packet@kvm-s01:~$ 
    packet@kvm-s01:~$ sudo cat /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log
    Starting vTPM manufacturing as swtpm:swtpm @ Wed 21 Sep 2023 08:09:30 AM PDT
    Successfully created RSA 2048 EK with handle 0x81010001.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b0a85bad0cb79ef673f05f4d3fdb4f65da3171d86a392e60435c18a431a3062aafaadb22e2af06b2522cfcf959ca334ba38684859beb8064f2ba610735cb1dccee1388b9da840a4732d626358e383f0d089592d04dfc15b7e82285f1fa1b4a73bd1bfdbf0d75a02f94f069ae1546d2f28f984046f384f4b35ef1451a191628b2a1329f138dad4e4407d0d03b2f71defc568642fe74d98f0e383e8ac1a5c94b4c30c1a0aae0cfe96bc9316397582cbbb834557a2112aad32d3f1e825e8dfbd569bb9b2492728c425609515568f17d42aee8a5fdaf973a441aaf8bf20762101a9e2507ee0b4e876280e36474b4c10179df18fe066db708d0c11e741a8e722154c9 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Creating root CA and a local CA's signing key and issuer cert.
    Successfully created EK certificate locally.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type platform --ek b0a85bad0cb79ef673f05f4d3fdb4f65da3171d86a392e60435c18a431a3062aafaadb22e2af06b2522cfcf959ca334ba38684859beb8064f2ba610735cb1dccee1388b9da840a4732d626358e383f0d089592d04dfc15b7e82285f1fa1b4a73bd1bfdbf0d75a02f94f069ae1546d2f28f984046f384f4b35ef1451a191628b2a1329f138dad4e4407d0d03b2f71defc568642fe74d98f0e383e8ac1a5c94b4c30c1a0aae0cfe96bc9316397582cbbb834557a2112aad32d3f1e825e8dfbd569bb9b2492728c425609515568f17d42aee8a5fdaf973a441aaf8bf20762101a9e2507ee0b4e876280e36474b4c10179df18fe066db708d0c11e741a8e722154c9 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created platform certificate locally.
    Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
    Successfully created NVRAM area 0x1c08000 for platform certificate.
    Successfully created ECC EK with handle 0x81010016.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek x=d28e9411dbe9aa0ada17c179c0854bebcf2d7ef2f94f42ef92f4e2deb28b568c9ecabd847fd36a974efceb7b0d54893e,y=6b777ed060459c7907eb639665b3e64d9a93e692b7a4c0d20a18acafb6a2ae8e1284e948060266b96c1c23cc883e7634,id=secp384r1 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created EK certificate locally.
    Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
    Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384,sha512.
    Successfully authored TPM state.
    Ending vTPM manufacturing @ Wed 21 Sep 2023 08:09:33 AM PDT
    Starting vTPM manufacturing as swtpm:swtpm @ Wed 21 Sep 2023 08:19:44 AM PDT
    Successfully created RSA 2048 EK with handle 0x81010001.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b49eb6d250c2add268fe448098b458f57e3a47719c3fbcc49fb85ecddd937f2f662a238eee0b8814ea3c07a4beeebad5a4ef30fd224e9051fad2ae29256ba7b85b03aef004ec05d2fd1e8139edcb3396b0b2b0a2adfb6b29fd975a9daf385aa3ffc0739fbc2d6b5850b9f424c787074ac56571fc15564b3dfbd847f2c79d310dfea27f2a694bb2c49d3bbb2e2d2a61c29d4214140358dfe23b97562ea8c756da7942e8be3b260da9dfccb26383c4734c76d6e8e47e55055c1a697c1379faf3b41400034b201115fb0913151f0a1d4b963208e5f758ad9c59ee1da145d2bc740069768545085d18a00108915214014b8b99fb47611f8b9260c70a4e2cef3ce1c7 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created EK certificate locally.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type platform --ek b49eb6d250c2add268fe448098b458f57e3a47719c3fbcc49fb85ecddd937f2f662a238eee0b8814ea3c07a4beeebad5a4ef30fd224e9051fad2ae29256ba7b85b03aef004ec05d2fd1e8139edcb3396b0b2b0a2adfb6b29fd975a9daf385aa3ffc0739fbc2d6b5850b9f424c787074ac56571fc15564b3dfbd847f2c79d310dfea27f2a694bb2c49d3bbb2e2d2a61c29d4214140358dfe23b97562ea8c756da7942e8be3b260da9dfccb26383c4734c76d6e8e47e55055c1a697c1379faf3b41400034b201115fb0913151f0a1d4b963208e5f758ad9c59ee1da145d2bc740069768545085d18a00108915214014b8b99fb47611f8b9260c70a4e2cef3ce1c7 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created platform certificate locally.
    Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
    Successfully created NVRAM area 0x1c08000 for platform certificate.
    Successfully created ECC EK with handle 0x81010016.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek x=56a69f0827e7f4fc237dffb8202573f910140516ced4d85f62b443b627d6eb3075993a5e757119ed56ab43daa76e5f23,y=c38364e2663bcb8cab92a658c2f4054826ca36d6cff99ea0a7a2ef9f600bf5902902482a67ad90101930ed7f17cc613d,id=secp384r1 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created EK certificate locally.
    Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
    Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384,sha512.
    Successfully authored TPM state.
    Ending vTPM manufacturing @ Wed 21 Sep 2023 08:19:44 AM PDT
    
  3. Log in to FGT_VM64_KVM and check TPM status:
    Version: FortiGate-VM64-KVM v7.0.8,build0418,220920 (GA)
    Virus-DB: 1.00000(2018-04-09 18:07)
    Extended DB: 1.00000(2018-04-09 18:07)
    Extreme DB: 1.00000(2018-04-09 18:07)
    AV AI/ML Model: 0.00000(2001-01-01 00:00)
    IPS-DB: 6.00741(2015-12-01 02:30)
    IPS-ETDB: 6.00741(2015-12-01 02:30)
    APP-DB: 6.00741(2015-12-01 02:30)
    INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
    IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
    Serial-Number: FGVM02TM12345678
    License Status: Valid
    License Expiration Date: 2023-09-08
    VM Resources: 2 CPU/2 allowed, 2007 MB RAM
    Log hard disk: Available
    Hostname: FGT_VM64_KVM
    Private Encryption: Disable
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: standalone
    Branch point: 0418
    Release Version Information: GA
    FortiOS x86-64: Yes
    System time: Wed Sep 21 08:43:18 2023
    Last reboot reason: warm reboot
    
    FGT_VM64_KVM #
    FGT_VM64_KVM # fnsysctl ls /dev/tpm0
    /dev/tpm0  
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose hardware deviceinfo tpm
    
    
    TPM capability information of fixed properties:
    =========================================================
    TPM_PT_FAMILY_INDICATOR:        2.0
    TPM_PT_LEVEL:                   0
    TPM_PT_REVISION:                164
    TPM_PT_DAY_OF_YEAR:             75
    TPM_PT_YEAR:                    2021
    TPM_PT_MANUFACTURER:            IBM
    TPM_PT_VENDOR_STRING:           SW   TPM
    TPM_PT_VENDOR_STRING_1 in HEX:  0x53572020
    TPM_PT_VENDOR_STRING_2 in HEX:  0x2054504d
    TPM_PT_VENDOR_STRING_3 in HEX:  0x00000000
    TPM_PT_VENDOR_STRING_4 in HEX:  0x00000000
    TPM_PT_VENDOR_TPM_TYPE:         1
    TPM_PT_FIRMWARE_VERSION:        8217.4131.22.13878
    TPM_PT_FIRMWARE_VERSION in HEX: 0x2019102300163636
    
    TPM_PT_MEMORY:
    =========================================================
    Shared RAM:                     0 CLEAR
    Shared NV:                      1 SET
    Object Copied To Ram:           1 SET
    
    TPM_PT_PERMANENT:
    =========================================================
    Owner Auth Set:                 0 CLEAR
    Sendorsement Auth Set:          0 CLEAR
    Lockout Auth Set:               0 CLEAR
    Disable Clear:                  0 CLEAR
    In Lockout:                     0 CLEAR
    TPM Generated EPS:              1 SET
    
    
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm 
    get-property              Get TPM properties. [Take 0-1 arg(s)]
    get-var-property          Get TPM var properties.
    read-clock                Read TPM internal clock.
    shutdown-prepare          Prepare for TPM power cycle.
    selftest                  Perform self tests.
    generate-random-number    Generate a 4-byte random number
    SHA-1                     HASH a sequence of num with SHA-1 algo
    SHA-256                   HASH a sequence of num with SHA-256 algo
     
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm get-property 
    
    
    TPM capability information of fixed properties:
    =========================================================
    TPM_PT_FAMILY_INDICATOR:        2.0
    TPM_PT_LEVEL:                   0
    TPM_PT_REVISION:                164
    TPM_PT_DAY_OF_YEAR:             75
    TPM_PT_YEAR:                    2021
    TPM_PT_MANUFACTURER:            IBM
    TPM_PT_VENDOR_STRING:           SW   TPM
    TPM_PT_VENDOR_STRING_1 in HEX:  0x53572020
    TPM_PT_VENDOR_STRING_2 in HEX:  0x2054504d
    TPM_PT_VENDOR_STRING_3 in HEX:  0x00000000
    TPM_PT_VENDOR_STRING_4 in HEX:  0x00000000
    TPM_PT_VENDOR_TPM_TYPE:         1
    TPM_PT_FIRMWARE_VERSION:        8217.4131.22.13878
    TPM_PT_FIRMWARE_VERSION in HEX: 0x2019102300163636
    
    TPM_PT_MEMORY:
    =========================================================
    Shared RAM:                     0 CLEAR
    Shared NV:                      1 SET
    Object Copied To Ram:           1 SET
    
    TPM_PT_PERMANENT:
    =========================================================
    Owner Auth Set:                 0 CLEAR
    Sendorsement Auth Set:          0 CLEAR
    Lockout Auth Set:               0 CLEAR
    Disable Clear:                  0 CLEAR
    In Lockout:                     0 CLEAR
    TPM Generated EPS:              1 SET
    
    
    
    FGT_VM64_KVM # diagnose tpm get-var-property
    
    
    TPM capability information of variable properties:
    
    
    
    TPM_PT_STARTUP_CLEAR:
    =========================================================
    Ph Enable:                      1 SET
    Sh Enable:                      1 SET
    Eh Enable:                      1 SET
    Orderly:                        0 CLEAR
    
    
    
    FGT_VM64_KVM # diagnose tpm read-clock
    
    
    Clock info:
    =========================================================
    Time since the last TPM_Init:
    2375158 ms  =  0 y, 0 d, 0 h, 39 min, 35 s, 158 ms
    
    Time during which the TPM has been powered:
    2375319 ms  =  0 y, 0 d, 0 h, 39 min, 35 s, 319 ms
    
    TPM Reset since the last TPM2_Clear:            5
    Number of times that TPM2_Shutdown:             0
    Safe:                                           1 = Yes
    
    
    
    FGT_VM64_KVM # diagnose tpm shutdown-prepare
    
    Shutdown works as expected.
    
    
    
    FGT_VM64_KVM # diagnose tpm selftest
    
    Successfully tested. Works as expected.
    
    
    
    FGT_VM64_KVM # diagnose tpm generate-random-number
    
    Random value:
    
    0x00000000:   0x73  0xF1  0x9F  0x31  
    
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm SHA-1 1234567890abcdef1234567890abcdef
    1234567890abcdef1234567890abcdef
    
    
    TPM2_Hash of '1234567890abcdef1234567890abcdef' with SHA-1:
    
    0x00000000:   62  0A  31  15  69  9A  42  2B  
    0x00000008:   D8  74  DE  31  D3  E6  91  1C  
    0x00000010:   58  3A  76  75  
    
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm SHA-256 1234567890abcdef1234567890abcdef
    1234567890abcdef1234567890abcdef
    
    
    TPM2_Hash of '1234567890abcdef1234567890abcdef' with SHA-256:
    
    0x00000000:   C5  12  D9  2E  35  45  B2  F1  
    0x00000008:   22  2E  4B  4C  6A  F6  D3  30  
    0x00000010:   EC  30  02  A0  4B  CA  A4  1D  
    0x00000018:   F9  CC  2C  49  62  84  96  D6  
    
  4. Enable TPM and input the master encryption password. This is an example. Using 0123456789abcdef0123456789abcdef as your private key is not recommended:
    FGT_VM64_KVM # exec private-encryption-key sample
    Private encryption is not enabled.
    Command fail. Return code 7
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # config system global
    
    FGT_VM64_KVM (global) # set private-data-encryption enable
    
    FGT_VM64_KVM (global) # end
    Please type your private data encryption key (32 hexadecimal numbers):
    1234567890abcdef1234567890abcdef
    Please re-enter your private data encryption key (32 hexadecimal numbers) again:
    1234567890abcdef1234567890abcdef
    Your private data encryption key is accepted.

    The following shows an example of a successful activation:

    FGT_VM64_KVM # exec private-encryption-key sample
    B64TEXT: u7oOx1iBjPFu4XLZVq5/RpoZrDJ9htRo6Jjhfts4BaI=
    B64HMAC: FHmUhzSyT0IEfyoRnfdTFbY2l0o=
    

    Note the B64TEXT and B64HMAC sample keys. Run the following to verify the feature:

    FGT_VM64_KVM # exec private-encryption-key verify u7oOx1iBjPFu4XLZVq5/RpoZrDJ9htRo6Jjhfts4BaI= FHmUhzSyT0IEfyoRnfdTFbY2l0o=
    Verification passed.
    
  5. Back up the config:
    FGT_VM64_KVM # execute backup config tftp FGVM02TM12345678.conf 172.18.70.161
    Please wait...
    Connect to tftp server 172.18.70.161 ...
    #
    Send config file to tftp server OK.
    
  6. Verify that the backup config has private-encryption-key:
    packet@1804:/mnt/incoming$ less FGVM02TM12345678.conf
      #config-version=FGVMK6-7.0.8-FW-build0418-220920:opmode=0:vdom=0:user=admin
      #conf_file_ver=2079893748141389
      #buildno=0418
      #global_vdom=1
      #private-encryption-key=oY5GhQK3w0Ddn0EX+8hp6UYpjB4=
      config system global
          set admin-server-cert "Fortinet_Factory"
          set alias "FortiGate-VM64-KVM"
          set hostname "FGT_VM64_KVM"
          set private-data-encryption enable
          set timezone 04
      end
    
  7. Factory reset the FortiGate and restore the backup config. If private-data-encryption is disabled, the restore fails:
    FGT_VM64_KVM # execute factoryreset keepvmlicense
    This operation will reset the system to factory default except VM license!
    Do you want to continue? (y/n)y
    
    
    System is resetting to factory default...
    
    
    The system is going down NOW !!
    
    FGT_VM64_KVM # 
    
    After reboot:
    
    FGT_VM64_KVM # execute restore config tftp FGVM02TM12345678.conf 172.18.70.161
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n)y
    
    Please wait...
    Connect to TFTP server 172.18.70.161 ...
    
    Get file from TFTP server OK.
    The configuration was encrypted with a private encryption key but encryption is not enabled. Required: Enable private-data-encryption under system.global.
    Command fail. Return code -910
    

    The backup config restore fails if private-data-encryption is enabled with an incorrect master key:

    FGT_VM64_KVM # config system global
    
    FGT_VM64_KVM (global) # set private-data-encryption enable
    
    FGT_VM64_KVM (global) # end
    Please type your private data encryption key (32 hexadecimal numbers):
    ac6bdcdee2701a1edc6d594898e34f50
    Please re-enter your private data encryption key (32 hexadecimal numbers) again:
    ac6bdcdee2701a1edc6d594898e34f50
    Your private data encryption key is accepted.
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # execute restore config tftp FGVM02TM12345678.conf 172.18.70.161
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n)y
    
    Please wait...
    Connect to TFTP server 172.18.70.161 ...
    
    Get file from TFTP server OK.
    The configuration was encrypted with a private encryption key that does not match the current in-use private encryption key.
    Command fail. Return code -911
    

    You can only restore the backup config when private-data-encryption is enabled with the correct master key.

    FGT_VM64_KVM # config system global 
    
    FGT_VM64_KVM (global) # set private-data-encryption disable 
    
    FGT_VM64_KVM (global) # end
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # config system global 
    
    FGT_VM64_KVM (global) # set private-data-encryption enable 
    
    FGT_VM64_KVM (global) # end
    Please type your private data encryption key (32 hexadecimal numbers):
    1234567890abcdef1234567890abcdef
    Please re-enter your private data encryption key (32 hexadecimal numbers) again:
    1234567890abcdef1234567890abcdef
    Your private data encryption key is accepted.
    
    FGT_VM64_KVM # execute restore config tftp FGVM02TM12345678.conf 172.18.70.161
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n)y
    
    Please wait...
    Connect to TFTP server 172.18.70.161 ...
    
    Get file from TFTP server OK.
    File check OK.
    
    FGT_VM64_KVM # 
    
    The system is going down NOW !!
    
    Please stand by while rebooting the system.
    

TPM support for FortiGate-VM

TPM support for FortiGate-VM

Using the TPM module, the FortiGate can generate, store, and authenticate cryptographic keys. When TPM is enabled on a FortiGate, the admin must set a 32-digit hexadecimal master-encryption-password to encrypt sensitive data on the FortiGate such as admin passwords, IPsec VPN preshared keys (PSK), and other passwords and keys as this document lists. In turn, a TPM-generated primary key, which is stored on the TPM, encrypts this master-encryption-passsword.

When the FortiGate backs up configurations to a configuration file, the master-encryption-password encrypts passwords and keys. The primary key also encrypts the master-encryption-password. Therefore, when restoring a config file, if the FortiGate unit does not have TPM enabled, or does not have the same master-encryption-key, you cannot upload the configuration file.

This enhancement adds TPM support to FGT-VM64 platforms. Hypervisors with software TPM emulator packages installed can support the TPM feature in FortiOS. This feature supports KVM/QEMU.

For information about TPM, see Trusted platform module support.

Passwords and keys that the masterencryptionkey can encrypt include:

  • Alert email user password
  • BGP and other routing-related configurations
  • External resource
  • FortiGuard proxy password
  • FortiToken/FortiToken Mobile seed
  • High availability password
  • Link Monitor server-side password
  • IPsec VPN PSK
  • Local certificate private key
  • SDN connector server-side password
  • Local, LDAP, RADIUS, FSSO, and other user category-related passwords
  • Modem/PPPoE
  • NST password
  • NTP Password
  • SNMP
  • Wireless security-related password

You cannot restore a private key-encrypted configuration via the FortiOS GUI if private-data-encryption is disabled. The following shows the GUI in this scenario:

To check if your FortiGate has a TPM:
  1. Verify that the required packages are installed on the Linux KVM host:
    packet@kvm-s01:~$ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 22.04.1 LTS
    Release:	22.04
    Codename:	jammy
    packet@kvm-s01:~$
    packet@kvm-s01:~$ apt list swtpm swtpm-tools qemu libvirt0 virtinst
    Listing... Done
    libvirt0/jammy-updates,jammy-updates,now 8.0.0-1ubuntu7.1 amd64 [installed,automatic]
    qemu/jammy-updates,jammy-updates,now 1:6.2+dfsg-2ubuntu6.3 amd64 [installed]
    swtpm-tools/jammy,jammy,now 0.6.3-0ubuntu3 amd64 [installed]
    swtpm/jammy,jammy,now 0.6.3-0ubuntu3 amd64 [installed]
    virtinst/jammy,jammy,jammy,jammy,now 1:4.0.0-1 all [installed]
    
  2. Import a FGT_VM64_KVM VM to the host. You may want to change the following script to fit your setup:
    UUID="$(uuid)"
    SKU="FGT_VM64_KVM"
    VER=7
    NUM=0418
    CPU=2
    RAM=2048
    CONTROLLER="type=ide,index=0"
    BUS="ide"
    MODEL="virtio"
    RND_MAC() { printf '90:6C:AC:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256)) ;}
    MACADDR=$(RND_MAC)
    DOMAIN=$SKU-v$VER-b$NUM
    
    qemu-img create -f qcow2 $DOMAIN-log.qcow2 1024M
    qemu-img create -f qcow2 $DOMAIN-wanopt.qcow2 1024M
    
    virt-install --connect qemu:///system \
    	--name $DOMAIN \
    	--uuid $UUID \
    	--virt-type kvm \
    	--arch=x86_64 \
    	--hvm \
    	--osinfo linux \
    	--os-variant=generic \
    	--graphics vnc,listen=0.0.0.0 --noautoconsole \
    	--cpu host-passthrough \
    	--vcpus=$CPU \
    	--ram $RAM \
    	--sysinfo host \
    	--controller $CONTROLLER \
    	--boot hd,menu=on \
    	--disk fortios.qcow2,device=disk,bus=$BUS,format=qcow2,cache=none,io=native \
    	--disk $DOMAIN-log.qcow2,device=disk,bus=$BUS,format=qcow2,cache=none,io=native \
    	--disk $DOMAIN-wanopt.qcow2,device=disk,bus=$BUS,format=qcow2,cache=none,io=native \
    	--features kvm_hidden=on,smm=on \
    	--tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \
    	--network bridge=br1,model=$MODEL,mac=$MACADDR:01 \
    	--network bridge=br2,model=$MODEL,mac=$MACADDR:02 \
    	--network bridge=br3,model=$MODEL,mac=$MACADDR:03 \
    	--network bridge=br4,model=$MODEL,mac=$MACADDR:04 \
    	--import
    

    Key pairs are created on the host when the VM with TPM is imported:

    packet@kvm-s01:~$ sudo ls -al /var/lib/swtpm-localca/
    total 56
    drwxr-x---  2 swtpm root  4096 Sep 21 08:09 .
    drwxr-xr-x 49 root  root  4096 Sep 19 12:42 ..
    -rwxr-xr-x  1 swtpm swtpm    0 Sep 21 08:09 .lock.swtpm-localca
    -rw-r--r--  1 swtpm swtpm 5519 Sep 21 08:09 01.pem
    -rw-r--r--  1 swtpm swtpm    1 Sep 21 08:19 certserial
    -rw-r--r--  1 swtpm swtpm   48 Sep 21 08:09 index.txt
    -rw-r--r--  1 swtpm swtpm   21 Sep 21 08:09 index.txt.attr
    -rw-r--r--  1 swtpm swtpm    0 Sep 21 08:09 index.txt.old
    -rw-r--r--  1 swtpm swtpm 5519 Sep 21 08:09 issuercert.pem
    -rw-r--r--  1 swtpm swtpm    3 Sep 21 08:09 serial
    -rw-r--r--  1 swtpm swtpm    3 Sep 21 08:09 serial.old
    -rw-r-----  1 swtpm swtpm 2459 Sep 21 08:09 signkey.pem
    -rw-r--r--  1 swtpm swtpm 1468 Sep 21 08:09 swtpm-localca-rootca-cert.pem
    -rw-r-----  1 swtpm swtpm 2459 Sep 21 08:09 swtpm-localca-rootca-privkey.pem
    packet@kvm-s01:~$ 
    packet@kvm-s01:~$ sudo cat /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log
    Starting vTPM manufacturing as swtpm:swtpm @ Wed 21 Sep 2023 08:09:30 AM PDT
    Successfully created RSA 2048 EK with handle 0x81010001.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b0a85bad0cb79ef673f05f4d3fdb4f65da3171d86a392e60435c18a431a3062aafaadb22e2af06b2522cfcf959ca334ba38684859beb8064f2ba610735cb1dccee1388b9da840a4732d626358e383f0d089592d04dfc15b7e82285f1fa1b4a73bd1bfdbf0d75a02f94f069ae1546d2f28f984046f384f4b35ef1451a191628b2a1329f138dad4e4407d0d03b2f71defc568642fe74d98f0e383e8ac1a5c94b4c30c1a0aae0cfe96bc9316397582cbbb834557a2112aad32d3f1e825e8dfbd569bb9b2492728c425609515568f17d42aee8a5fdaf973a441aaf8bf20762101a9e2507ee0b4e876280e36474b4c10179df18fe066db708d0c11e741a8e722154c9 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Creating root CA and a local CA's signing key and issuer cert.
    Successfully created EK certificate locally.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type platform --ek b0a85bad0cb79ef673f05f4d3fdb4f65da3171d86a392e60435c18a431a3062aafaadb22e2af06b2522cfcf959ca334ba38684859beb8064f2ba610735cb1dccee1388b9da840a4732d626358e383f0d089592d04dfc15b7e82285f1fa1b4a73bd1bfdbf0d75a02f94f069ae1546d2f28f984046f384f4b35ef1451a191628b2a1329f138dad4e4407d0d03b2f71defc568642fe74d98f0e383e8ac1a5c94b4c30c1a0aae0cfe96bc9316397582cbbb834557a2112aad32d3f1e825e8dfbd569bb9b2492728c425609515568f17d42aee8a5fdaf973a441aaf8bf20762101a9e2507ee0b4e876280e36474b4c10179df18fe066db708d0c11e741a8e722154c9 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created platform certificate locally.
    Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
    Successfully created NVRAM area 0x1c08000 for platform certificate.
    Successfully created ECC EK with handle 0x81010016.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek x=d28e9411dbe9aa0ada17c179c0854bebcf2d7ef2f94f42ef92f4e2deb28b568c9ecabd847fd36a974efceb7b0d54893e,y=6b777ed060459c7907eb639665b3e64d9a93e692b7a4c0d20a18acafb6a2ae8e1284e948060266b96c1c23cc883e7634,id=secp384r1 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created EK certificate locally.
    Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
    Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384,sha512.
    Successfully authored TPM state.
    Ending vTPM manufacturing @ Wed 21 Sep 2023 08:09:33 AM PDT
    Starting vTPM manufacturing as swtpm:swtpm @ Wed 21 Sep 2023 08:19:44 AM PDT
    Successfully created RSA 2048 EK with handle 0x81010001.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b49eb6d250c2add268fe448098b458f57e3a47719c3fbcc49fb85ecddd937f2f662a238eee0b8814ea3c07a4beeebad5a4ef30fd224e9051fad2ae29256ba7b85b03aef004ec05d2fd1e8139edcb3396b0b2b0a2adfb6b29fd975a9daf385aa3ffc0739fbc2d6b5850b9f424c787074ac56571fc15564b3dfbd847f2c79d310dfea27f2a694bb2c49d3bbb2e2d2a61c29d4214140358dfe23b97562ea8c756da7942e8be3b260da9dfccb26383c4734c76d6e8e47e55055c1a697c1379faf3b41400034b201115fb0913151f0a1d4b963208e5f758ad9c59ee1da145d2bc740069768545085d18a00108915214014b8b99fb47611f8b9260c70a4e2cef3ce1c7 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created EK certificate locally.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type platform --ek b49eb6d250c2add268fe448098b458f57e3a47719c3fbcc49fb85ecddd937f2f662a238eee0b8814ea3c07a4beeebad5a4ef30fd224e9051fad2ae29256ba7b85b03aef004ec05d2fd1e8139edcb3396b0b2b0a2adfb6b29fd975a9daf385aa3ffc0739fbc2d6b5850b9f424c787074ac56571fc15564b3dfbd847f2c79d310dfea27f2a694bb2c49d3bbb2e2d2a61c29d4214140358dfe23b97562ea8c756da7942e8be3b260da9dfccb26383c4734c76d6e8e47e55055c1a697c1379faf3b41400034b201115fb0913151f0a1d4b963208e5f758ad9c59ee1da145d2bc740069768545085d18a00108915214014b8b99fb47611f8b9260c70a4e2cef3ce1c7 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created platform certificate locally.
    Successfully created NVRAM area 0x1c00002 for RSA 2048 EK certificate.
    Successfully created NVRAM area 0x1c08000 for platform certificate.
    Successfully created ECC EK with handle 0x81010016.
      Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek x=56a69f0827e7f4fc237dffb8202573f910140516ced4d85f62b443b627d6eb3075993a5e757119ed56ab43daa76e5f23,y=c38364e2663bcb8cab92a658c2f4054826ca36d6cff99ea0a7a2ef9f600bf5902902482a67ad90101930ed7f17cc613d,id=secp384r1 --dir /var/lib/libvirt/swtpm/eb3c65cc-d354-11ea-a7dc-08002799a4d5/tpm2 --logfile /var/log/swtpm/libvirt/qemu/FGT_VM64_KVM_v7.0.8_b0418-swtpm.log --vmid FGT_VM64_KVM_v7.0.8_b0418:eb3c65cc-d354-11ea-a7dc-08002799a4d5 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
    Successfully created EK certificate locally.
    Successfully created NVRAM area 0x1c00016 for ECC EK certificate.
    Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384,sha512.
    Successfully authored TPM state.
    Ending vTPM manufacturing @ Wed 21 Sep 2023 08:19:44 AM PDT
    
  3. Log in to FGT_VM64_KVM and check TPM status:
    Version: FortiGate-VM64-KVM v7.0.8,build0418,220920 (GA)
    Virus-DB: 1.00000(2018-04-09 18:07)
    Extended DB: 1.00000(2018-04-09 18:07)
    Extreme DB: 1.00000(2018-04-09 18:07)
    AV AI/ML Model: 0.00000(2001-01-01 00:00)
    IPS-DB: 6.00741(2015-12-01 02:30)
    IPS-ETDB: 6.00741(2015-12-01 02:30)
    APP-DB: 6.00741(2015-12-01 02:30)
    INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
    IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
    Serial-Number: FGVM02TM12345678
    License Status: Valid
    License Expiration Date: 2023-09-08
    VM Resources: 2 CPU/2 allowed, 2007 MB RAM
    Log hard disk: Available
    Hostname: FGT_VM64_KVM
    Private Encryption: Disable
    Operation Mode: NAT
    Current virtual domain: root
    Max number of virtual domains: 10
    Virtual domains status: 1 in NAT mode, 0 in TP mode
    Virtual domain configuration: disable
    FIPS-CC mode: disable
    Current HA mode: standalone
    Branch point: 0418
    Release Version Information: GA
    FortiOS x86-64: Yes
    System time: Wed Sep 21 08:43:18 2023
    Last reboot reason: warm reboot
    
    FGT_VM64_KVM #
    FGT_VM64_KVM # fnsysctl ls /dev/tpm0
    /dev/tpm0  
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose hardware deviceinfo tpm
    
    
    TPM capability information of fixed properties:
    =========================================================
    TPM_PT_FAMILY_INDICATOR:        2.0
    TPM_PT_LEVEL:                   0
    TPM_PT_REVISION:                164
    TPM_PT_DAY_OF_YEAR:             75
    TPM_PT_YEAR:                    2021
    TPM_PT_MANUFACTURER:            IBM
    TPM_PT_VENDOR_STRING:           SW   TPM
    TPM_PT_VENDOR_STRING_1 in HEX:  0x53572020
    TPM_PT_VENDOR_STRING_2 in HEX:  0x2054504d
    TPM_PT_VENDOR_STRING_3 in HEX:  0x00000000
    TPM_PT_VENDOR_STRING_4 in HEX:  0x00000000
    TPM_PT_VENDOR_TPM_TYPE:         1
    TPM_PT_FIRMWARE_VERSION:        8217.4131.22.13878
    TPM_PT_FIRMWARE_VERSION in HEX: 0x2019102300163636
    
    TPM_PT_MEMORY:
    =========================================================
    Shared RAM:                     0 CLEAR
    Shared NV:                      1 SET
    Object Copied To Ram:           1 SET
    
    TPM_PT_PERMANENT:
    =========================================================
    Owner Auth Set:                 0 CLEAR
    Sendorsement Auth Set:          0 CLEAR
    Lockout Auth Set:               0 CLEAR
    Disable Clear:                  0 CLEAR
    In Lockout:                     0 CLEAR
    TPM Generated EPS:              1 SET
    
    
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm 
    get-property              Get TPM properties. [Take 0-1 arg(s)]
    get-var-property          Get TPM var properties.
    read-clock                Read TPM internal clock.
    shutdown-prepare          Prepare for TPM power cycle.
    selftest                  Perform self tests.
    generate-random-number    Generate a 4-byte random number
    SHA-1                     HASH a sequence of num with SHA-1 algo
    SHA-256                   HASH a sequence of num with SHA-256 algo
     
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm get-property 
    
    
    TPM capability information of fixed properties:
    =========================================================
    TPM_PT_FAMILY_INDICATOR:        2.0
    TPM_PT_LEVEL:                   0
    TPM_PT_REVISION:                164
    TPM_PT_DAY_OF_YEAR:             75
    TPM_PT_YEAR:                    2021
    TPM_PT_MANUFACTURER:            IBM
    TPM_PT_VENDOR_STRING:           SW   TPM
    TPM_PT_VENDOR_STRING_1 in HEX:  0x53572020
    TPM_PT_VENDOR_STRING_2 in HEX:  0x2054504d
    TPM_PT_VENDOR_STRING_3 in HEX:  0x00000000
    TPM_PT_VENDOR_STRING_4 in HEX:  0x00000000
    TPM_PT_VENDOR_TPM_TYPE:         1
    TPM_PT_FIRMWARE_VERSION:        8217.4131.22.13878
    TPM_PT_FIRMWARE_VERSION in HEX: 0x2019102300163636
    
    TPM_PT_MEMORY:
    =========================================================
    Shared RAM:                     0 CLEAR
    Shared NV:                      1 SET
    Object Copied To Ram:           1 SET
    
    TPM_PT_PERMANENT:
    =========================================================
    Owner Auth Set:                 0 CLEAR
    Sendorsement Auth Set:          0 CLEAR
    Lockout Auth Set:               0 CLEAR
    Disable Clear:                  0 CLEAR
    In Lockout:                     0 CLEAR
    TPM Generated EPS:              1 SET
    
    
    
    FGT_VM64_KVM # diagnose tpm get-var-property
    
    
    TPM capability information of variable properties:
    
    
    
    TPM_PT_STARTUP_CLEAR:
    =========================================================
    Ph Enable:                      1 SET
    Sh Enable:                      1 SET
    Eh Enable:                      1 SET
    Orderly:                        0 CLEAR
    
    
    
    FGT_VM64_KVM # diagnose tpm read-clock
    
    
    Clock info:
    =========================================================
    Time since the last TPM_Init:
    2375158 ms  =  0 y, 0 d, 0 h, 39 min, 35 s, 158 ms
    
    Time during which the TPM has been powered:
    2375319 ms  =  0 y, 0 d, 0 h, 39 min, 35 s, 319 ms
    
    TPM Reset since the last TPM2_Clear:            5
    Number of times that TPM2_Shutdown:             0
    Safe:                                           1 = Yes
    
    
    
    FGT_VM64_KVM # diagnose tpm shutdown-prepare
    
    Shutdown works as expected.
    
    
    
    FGT_VM64_KVM # diagnose tpm selftest
    
    Successfully tested. Works as expected.
    
    
    
    FGT_VM64_KVM # diagnose tpm generate-random-number
    
    Random value:
    
    0x00000000:   0x73  0xF1  0x9F  0x31  
    
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm SHA-1 1234567890abcdef1234567890abcdef
    1234567890abcdef1234567890abcdef
    
    
    TPM2_Hash of '1234567890abcdef1234567890abcdef' with SHA-1:
    
    0x00000000:   62  0A  31  15  69  9A  42  2B  
    0x00000008:   D8  74  DE  31  D3  E6  91  1C  
    0x00000010:   58  3A  76  75  
    
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # diagnose tpm SHA-256 1234567890abcdef1234567890abcdef
    1234567890abcdef1234567890abcdef
    
    
    TPM2_Hash of '1234567890abcdef1234567890abcdef' with SHA-256:
    
    0x00000000:   C5  12  D9  2E  35  45  B2  F1  
    0x00000008:   22  2E  4B  4C  6A  F6  D3  30  
    0x00000010:   EC  30  02  A0  4B  CA  A4  1D  
    0x00000018:   F9  CC  2C  49  62  84  96  D6  
    
  4. Enable TPM and input the master encryption password. This is an example. Using 0123456789abcdef0123456789abcdef as your private key is not recommended:
    FGT_VM64_KVM # exec private-encryption-key sample
    Private encryption is not enabled.
    Command fail. Return code 7
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # config system global
    
    FGT_VM64_KVM (global) # set private-data-encryption enable
    
    FGT_VM64_KVM (global) # end
    Please type your private data encryption key (32 hexadecimal numbers):
    1234567890abcdef1234567890abcdef
    Please re-enter your private data encryption key (32 hexadecimal numbers) again:
    1234567890abcdef1234567890abcdef
    Your private data encryption key is accepted.

    The following shows an example of a successful activation:

    FGT_VM64_KVM # exec private-encryption-key sample
    B64TEXT: u7oOx1iBjPFu4XLZVq5/RpoZrDJ9htRo6Jjhfts4BaI=
    B64HMAC: FHmUhzSyT0IEfyoRnfdTFbY2l0o=
    

    Note the B64TEXT and B64HMAC sample keys. Run the following to verify the feature:

    FGT_VM64_KVM # exec private-encryption-key verify u7oOx1iBjPFu4XLZVq5/RpoZrDJ9htRo6Jjhfts4BaI= FHmUhzSyT0IEfyoRnfdTFbY2l0o=
    Verification passed.
    
  5. Back up the config:
    FGT_VM64_KVM # execute backup config tftp FGVM02TM12345678.conf 172.18.70.161
    Please wait...
    Connect to tftp server 172.18.70.161 ...
    #
    Send config file to tftp server OK.
    
  6. Verify that the backup config has private-encryption-key:
    packet@1804:/mnt/incoming$ less FGVM02TM12345678.conf
      #config-version=FGVMK6-7.0.8-FW-build0418-220920:opmode=0:vdom=0:user=admin
      #conf_file_ver=2079893748141389
      #buildno=0418
      #global_vdom=1
      #private-encryption-key=oY5GhQK3w0Ddn0EX+8hp6UYpjB4=
      config system global
          set admin-server-cert "Fortinet_Factory"
          set alias "FortiGate-VM64-KVM"
          set hostname "FGT_VM64_KVM"
          set private-data-encryption enable
          set timezone 04
      end
    
  7. Factory reset the FortiGate and restore the backup config. If private-data-encryption is disabled, the restore fails:
    FGT_VM64_KVM # execute factoryreset keepvmlicense
    This operation will reset the system to factory default except VM license!
    Do you want to continue? (y/n)y
    
    
    System is resetting to factory default...
    
    
    The system is going down NOW !!
    
    FGT_VM64_KVM # 
    
    After reboot:
    
    FGT_VM64_KVM # execute restore config tftp FGVM02TM12345678.conf 172.18.70.161
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n)y
    
    Please wait...
    Connect to TFTP server 172.18.70.161 ...
    
    Get file from TFTP server OK.
    The configuration was encrypted with a private encryption key but encryption is not enabled. Required: Enable private-data-encryption under system.global.
    Command fail. Return code -910
    

    The backup config restore fails if private-data-encryption is enabled with an incorrect master key:

    FGT_VM64_KVM # config system global
    
    FGT_VM64_KVM (global) # set private-data-encryption enable
    
    FGT_VM64_KVM (global) # end
    Please type your private data encryption key (32 hexadecimal numbers):
    ac6bdcdee2701a1edc6d594898e34f50
    Please re-enter your private data encryption key (32 hexadecimal numbers) again:
    ac6bdcdee2701a1edc6d594898e34f50
    Your private data encryption key is accepted.
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # execute restore config tftp FGVM02TM12345678.conf 172.18.70.161
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n)y
    
    Please wait...
    Connect to TFTP server 172.18.70.161 ...
    
    Get file from TFTP server OK.
    The configuration was encrypted with a private encryption key that does not match the current in-use private encryption key.
    Command fail. Return code -911
    

    You can only restore the backup config when private-data-encryption is enabled with the correct master key.

    FGT_VM64_KVM # config system global 
    
    FGT_VM64_KVM (global) # set private-data-encryption disable 
    
    FGT_VM64_KVM (global) # end
    
    FGT_VM64_KVM # 
    FGT_VM64_KVM # config system global 
    
    FGT_VM64_KVM (global) # set private-data-encryption enable 
    
    FGT_VM64_KVM (global) # end
    Please type your private data encryption key (32 hexadecimal numbers):
    1234567890abcdef1234567890abcdef
    Please re-enter your private data encryption key (32 hexadecimal numbers) again:
    1234567890abcdef1234567890abcdef
    Your private data encryption key is accepted.
    
    FGT_VM64_KVM # execute restore config tftp FGVM02TM12345678.conf 172.18.70.161
    This operation will overwrite the current setting and could possibly reboot the system!
    Do you want to continue? (y/n)y
    
    Please wait...
    Connect to TFTP server 172.18.70.161 ...
    
    Get file from TFTP server OK.
    File check OK.
    
    FGT_VM64_KVM # 
    
    The system is going down NOW !!
    
    Please stand by while rebooting the system.