Trusted platform module support

On supported FortiGate hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiGate by generating, storing, and authenticating cryptographic keys. To help prevent tampering, the chip is soldered on the motherboard to reduce the risk of data transaction interceptions from attackers.

By default, the TPM is disabled. When enabling private data encryption, the FortiGate will generate a random master-encryption-password that encrypts sensitive data on the FortiGate using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-password.

The TPM module does not encrypt the disk drive of eligible FortiGates.

The primary key binds the encrypted configuration file to a specific FortiGate unit and never leaves the TPM. When backing up the configuration, the TPM uses the primary key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

• If TPM is disabled, then the configuration cannot be restored.

• If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.

• If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Configuration backups and reset.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

• Alert email user's password

• BGP and other routing related configurations

• External resource

• FortiGuard proxy password

• FortiToken/FortiToken Mobile’s seed

• HA password

• IPsec pre-shared key

• Link Monitor, server side password

• Local certificate's private key

• Local, LDAP. RADIUS, FSSO, and other user category related passwords

• Modem/PPPoE

• NST password

• NTP Password

• SDN connector, server side password

• SNMP

• Wireless Security related password

To check if your FortiGate device has a TPM:

Verify all the following commands exist. Otherwise, the platform does not support it.

# diagnose hardware test info
List of test cases:
    bios: sysid
    bios: checksum
    bios: license
    bios: detect

# diagnose hardware deviceinfo tpm
TPM capability information of fixed properties:
=========================================================
TPM_PT_FAMILY_INDICATOR: 2.0
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 138
TPM_PT_DAY_OF_YEAR: 8
TPM_PT_YEAR: 2018
TPM_PT_MANUFACTURER: NTC 
# diagnose hardware test tpm
=========== Fortinet Hardware Test Report ===================
TPM
TPM Device Detection.......................................... PASS
================= Fortinet Hardware Test PASSED ============== 
# diagnose tpm
get-property Get TPM properties. [Take 0-1 arg(s)]
get-var-property Get TPM var properties.
read-clock Read TPM internal clock.
shutdown-prepare Prepare for TPM power cycle.
selftest Perform self tests.
generate-random-number Generate a 4-byte random number
SHA-1 HASH a sequence of num with SHA-1 algo
SHA-256 HASH a sequence of num with SHA-256 algo

To enable TPM and input the master‑encryption‑password:

config system global
    set private-data-encryption enable
end
This operation will generate a random private data encryption key!
Previous config files encrypted with the system default key cannot be restored after this operation!
Do you want to continue? (y/n)y
Private data encryption key generation succeeded!

When enabling private-data-encryption the FortiGate will generate a random password itself. This increases security as the master-encryption-password is not known and cannot be stolen or leaked. As such, a configuration that is backed up while private-data-encryption is enabled cannot be restored when private-data-encryption is disabled or when private-data-encryption is re-enabled with a different random key. For FortiGates managed by FortiManager, refer to Verifying devices with private data encryption enabled in the FortiManager Administration Guide for steps on managing the FortiGate.

HA behavior

HA will form when both units have the basic matching HA required settings, including the HA group and HA password, regardless of whether private-data-encryption is enabled on both units before or after forming HA.

If private-data-encryption is enabled separately before forming HA, the FortiGates will first form HA and then synchronize the private-data-encryption key after. Once both devices have the same private-data-encryption key, configurations are synchronized from the primary to the secondary.

If private-data-encryption is enabled after the HA cluster is formed, then the primary unit will generate the random master-encryption-password. The password is synchronized from the primary to the secondary immediately after it is created.