>
    Encrypt and Refresh Master Keys Using an HSM
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    5. Encrypt and Refresh Master Keys Using an HSM
    Download PDF
    Next-Generation Firewall

    Encrypt and Refresh Master Keys Using an HSM

    Table of Contents

    Encrypt and Refresh Master Keys Using an HSM

    Learn how to encrypt a master key, which encrypts all private keys and passwords on your NGFW, for the first time.
    A master key encrypts all private keys and passwords on the firewall and Panorama. If you have security requirements to store your private keys in a secure location, you can encrypt the master key using an encryption key that is stored on an hardware security module (HSM). The firewall or Panorama then requests the HSM to decrypt the master key whenever it is required to decrypt a password or private key on the firewall. Typically, the HSM is in a highly secure location that is separate from the firewall or Panorama for greater security.
    The HSM encrypts the master key using a wrapping key. To maintain security, you must occasionally change (refresh) this wrapping key.
    If you have not previously encrypted the master key on a firewall, use the following procedure to encrypt it. Use this procedure for first time encryption of a key, or if you define a new master key and you want to encrypt it. If you want to refresh the encryption on a previously encrypted key, see Refresh the Master Key Encryption.
    1. Select DeviceMaster Key and Diagnostics.
    2. Specify the key that is currently used to encrypt all of the private keys and passwords on the firewall in the Master Key field.
    3. If changing the master key, enter the new master key and confirm.
    4. Select the HSM check box.
      • Life Time—The number of days and hours after which the master key expires (range 1-730 days).
      • Time for Reminder—The number of days and hours before expiration when the user is notified of the impending expiration (range 1–365 days).
    5. Click OK.
      To disable storing the master key on the HSM, deselect Stored on HSM, then configure a new master key. Enter the Current Master Key and define a new New Master Key.
      Alternatively, you can issue the following CLI command: 
      request master-key new-master-key <value> current-master-key <value> lifetime <1-438000> reminder <1-8760> on-hsm <yes|no> no-commit <yes|no>
      Commit the configuration afterwards.

    Refresh the Master Key Encryption

    Rotate the wrapping key that protects your master key periodically to strengthen your security posture.
    As a best practice, periodically refresh the master key encryption by rotating the wrapping key that encrypts it. The frequency of the rotation depends on your application. The wrapping key resides on your HSM. The following command is the same for SafeNet Network and nCipher nShield Connect HSMs.
    1. Log in to the firewall CLI.
    2. Use the following CLI command to rotate the wrapping key for the master key on an HSM:
      > request hsm mkey-wrapping-key-rotation
      If the master key is encrypted on the HSM, the CLI command will generate a new wrapping key on the HSM and encrypt the master key with the new wrapping key.
      If the master key is not encrypted on the HSM, the CLI command will generate new wrapping key on the HSM for future use.
      The old wrapping key is not deleted by this command.

    © 2025 Palo Alto Networks, Inc. All rights reserved.