On physical and virtual Palo Alto Networks appliances,
you can now configure master key encryption using
the AES-256-CBC or the AES-256-GCM (introduced in PAN-OS 10.0) encryption
algorithm to encrypt data such as keys and passwords. AES-256-GCM
improves your security posture by providing stronger encryption
than AES-256-CBC and includes a built-in integrity check. The master
key uses the configured encryption algorithm to encrypt
sensitive data stored on the firewall and on Panorama.
To use AES-256-GCM, the devices Panorama manages and Panorama
must run PAN-OS 10.0. This also applies to HA pairs. The default
encryption algorithm that the master key uses to encrypt data is
AES-256-CBC, to maintain compatibility among devices that Panorama
manages and between firewall HA pairs until all of the devices can
upgrade to PAN-OS 10.0. The crypto entries in the System
log show master key activity.
Upgrade all appliances so that they use
the strongest encryption algorithm they can use.
When you change the encryption algorithm, you can also specify
Re-encrypt existing encrypted data with the new algorithm (default).
Leave existing data encrypted with the old encryption algorithm
and use the new algorithm only for new (future) encryptions.