On physical and virtual Palo Alto Networks appliances, you can now configure master key encryption using the AES-256-CBC or the AES-256-GCM (introduced in PAN-OS 10.0) encryption algorithm to encrypt data such as keys and passwords. AES-256-GCM improves your security posture by providing stronger encryption than AES-256-CBC and includes a built-in integrity check. The master key uses the configured encryption algorithm to encrypt sensitive data stored on the firewall and on Panorama.

To use AES-256-GCM, the devices Panorama manages and Panorama must run PAN-OS 10.0. This also applies to HA pairs. The default encryption algorithm that the master key uses to encrypt data is AES-256-CBC, to maintain compatibility among devices that Panorama manages and between firewall HA pairs until all of the devices can upgrade to PAN-OS 10.0. The crypto entries in the System log show master key activity.

When you change the encryption algorithm, you can also specify whether to:

The master key generates a finite number of unique encryptions before it runs out of unique combinations and must repeat encryptions. Change the master key before encryptions repeat to ensure that the master key creates unique encryptions.