Encrypt a Master Key Using an HSM
A master key encrypts all private keys and passwords
on the firewall and Panorama. If you have security requirements
to store your private keys in a secure location, you can encrypt
the master key using an encryption key that is stored on an HSM.
The firewall or Panorama then requests the HSM to decrypt the master
key whenever it is required to decrypt a password or private key
on the firewall. Typically, the HSM is in a highly secure location
that is separate from the firewall or Panorama for greater security.
The HSM encrypts the master key using a wrapping key. To maintain
security, you must occasionally change (refresh) this wrapping key.
The following topics describe how to encrypt the master key initially
and how to refresh the master key encryption: