Fortinet black logo

Administration Guide

Trusted platform module support

On supported FortiManager hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiManager by generating, storing, and authenticating cryptographic keys.

For more information about which models feature TPM support, see the FortiManager Data Sheet.

By default, the TPM is disabled. To enable it, you must enable private-data-encryption and set the 32 hexadecimal digit master‑encryption‑password. This encrypts sensitive data on the FortiManager using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-password.

The key is never displayed in the configuration file or the system CLI, thereby obscuring the information and leaving the encrypted information in the TPM.

Note

The TPM module does not encrypt the disk drive of eligible FortiManager.

The primary key binds the encrypted configuration file to a specific FortiManager unit and never leaves the TPM. When backing up the configuration, the TPM uses the key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

  • If TPM is disabled, then the configuration cannot be restored.
  • If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.
  • If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Backing up the system and Restoring the configuration.

The master-encryption-password is also required when migrating the configuration, regardless if TPM is available on the other FortiManager model. For more information, see Migrating the configuration.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

  • Admin password
  • Alert email user's password
  • BGP and other routing related configurations
  • External resource
  • FortiGuard proxy password
  • FortiToken/FortiToken Mobile’s seed
  • HA password
  • IPsec pre-shared key
  • Link Monitor, server side password
  • Local certificate's private key
  • Local, LDAP. RADIUS, FSSO, and other user category related passwords
  • Modem/PPPoE
  • NST password
  • NTP Password
  • SDN connector, server side password
  • SNMP
  • Wireless Security related password
Note

In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations.

To check if your FortiManager device has a TPM:

Enter the following command in the FortiManager CLI:

diagnose hardware info

The output in the CLI includes ### TPM info, which displays if the TPM is detected (enabled), not detected (disabled), or not available.

To enable TPM and input the master‑encryption‑password:

Enter the following command in the FortiManager CLI:

config system global

set private-data-encryption enable

end

Please type your private data encryption key (32 hexadecimal numbers):

********************************

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

********************************

Your private data encryption key is accepted.

On supported FortiManager hardware devices, the Trusted Platform Module (TPM) can be used to protect your password and key against malicious software and phishing attacks. The dedicated module hardens the FortiManager by generating, storing, and authenticating cryptographic keys.

For more information about which models feature TPM support, see the FortiManager Data Sheet.

By default, the TPM is disabled. To enable it, you must enable private-data-encryption and set the 32 hexadecimal digit master‑encryption‑password. This encrypts sensitive data on the FortiManager using AES128-CBC. With the password, TPM generates a 2048-bit primary key to secure the master-encryption-password through RSA-2048 encryption. The master-encryption-password protects the data. The primary key protects the master-encryption-password.

The key is never displayed in the configuration file or the system CLI, thereby obscuring the information and leaving the encrypted information in the TPM.

Note

The TPM module does not encrypt the disk drive of eligible FortiManager.

The primary key binds the encrypted configuration file to a specific FortiManager unit and never leaves the TPM. When backing up the configuration, the TPM uses the key to encrypt the master‑encryption‑password in the configuration file. When restoring a configuration that includes a TPM protected master‑encryption‑password:

  • If TPM is disabled, then the configuration cannot be restored.
  • If TPM is enabled but has a different master‑encryption‑password than the configuration file, then the configuration cannot be restored.
  • If TPM is enabled and the master‑encryption‑password is the same in the configuration file, then the configuration can be restored.

For information on backing up and restoring the configuration, see Backing up the system and Restoring the configuration.

The master-encryption-password is also required when migrating the configuration, regardless if TPM is available on the other FortiManager model. For more information, see Migrating the configuration.

Passwords and keys that can be encrypted by the master‑encryption‑key include:

  • Admin password
  • Alert email user's password
  • BGP and other routing related configurations
  • External resource
  • FortiGuard proxy password
  • FortiToken/FortiToken Mobile’s seed
  • HA password
  • IPsec pre-shared key
  • Link Monitor, server side password
  • Local certificate's private key
  • Local, LDAP. RADIUS, FSSO, and other user category related passwords
  • Modem/PPPoE
  • NST password
  • NTP Password
  • SDN connector, server side password
  • SNMP
  • Wireless Security related password
Note

In HA configurations, each cluster member must use the same master‑encryption‑key so that the HA cluster can form and its members can synchronize their configurations.

To check if your FortiManager device has a TPM:

Enter the following command in the FortiManager CLI:

diagnose hardware info

The output in the CLI includes ### TPM info, which displays if the TPM is detected (enabled), not detected (disabled), or not available.

To enable TPM and input the master‑encryption‑password:

Enter the following command in the FortiManager CLI:

config system global

set private-data-encryption enable

end

Please type your private data encryption key (32 hexadecimal numbers):

********************************

Please re-enter your private data encryption key (32 hexadecimal numbers) again:

********************************

Your private data encryption key is accepted.