TPM hardware module 7.2.2
An enhanced security layer is added to FortiManager: when private data encryption is enabled, the encryption key is stored securely on the TPM hardware module.
Only select FortiManager hardware models feature a Trusted Platform Module (TPM) that can be used to protect your password and key against malicious software and phishing attacks. This dedicated micro-controller module hardens physical networking appliances by generating, storing, and authenticating cryptographic keys.
For more information about which FortiManager models feature TPM support, see the FortiManager Data Sheet.
The TPM is disabled by default, but it can be enabled from the FortiManager CLI.
To enable TPM, you must enable private-data-encryption
and set the 32 hexadecimal digit master‑encryption‑password. This encrypts sensitive data on the FortiManager using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data and the primary key protects the master-encryption-password.
The key is never displayed in the configuration file or the system CLI, thereby obscuring the information and leaving the encrypted information on the TPM.
The primary key binds the encrypted configuration file to a specific FortiManager unit and never leaves the TPM. When backing up the configuration, the TPM uses the key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:
- If TPM is disabled, then the configuration cannot be restored.
- If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.
- If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.
For more information about backing up the system, restoring the configuration, or migrating the configuration, see the FortiManager Administration Guide.
To check if your FortiManager device has a TPM:
Enter the following command in the FortiManager CLI:
diagnose hardware info
The output in the CLI includes ### TPM info
, which displays if the TPM is detected
(enabled), not detected
(disabled), or not available.
To enable TPM and input the master‑encryption‑password:
Enter the following command in the FortiManager CLI:
config system global
set private-data-encryption enable
end
Please type your private data encryption key (32 hexadecimal numbers):
********************************
Please re-enter your private data encryption key (32 hexadecimal numbers) again:
********************************
Your private data encryption key is accepted.