Focus

Next-Generation Firewall

Master Key Encryption

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Revoke and Renew Certificates

Configure a Master Key

Master Key Encryption

Encrypt the master key to secure it against being compromised and enabling an attacker to decrypt your keys and other sensitive data.

Master key encryption uses a master key to encrypt other cryptographic keys. These subordinate keys, in turn, encrypt sensitive data such as passwords or other keys. This layered approach enhances security. If the master key is compromised, for example, only the keys and the data it protects are at risk.

On physical and virtual Palo Alto Networks devices, you can configure the master key to use either the AES-256-CBC or AES-256-GCM encryption algorithm. Both algorithms map to an encryption level. AES-256-CBC is level 1 and AES-256-GCM is level 2. The default encryption algorithm is AES-256-CBC. However, AES-256-GCM provides stronger security and more efficient encryption. AES-GCM provides built-in authentication and integrity checks, and performance is typically faster than AES-CBC due to support for parallel processing and hardware acceleration. The master key uses the configured encryption algorithm to encrypt sensitive data stored on next-generation firewalls (NGFWs) and Panorama.

If you set the encryption algorithm to AES-256-GCM, you can still use an HSM to encrypt the master key with an encryption key that is stored on the HSM.

Use AES 256-GCM level 2 for master key encryption.

Use the same encryption level on Panorama and its managed devices, and use the same encryption level on NGFWs in a high availability (HA) pair. Upgrade devices to use the strongest possible encryption level. The configuration of managed or paired devices that use different encryption levels may become out of sync.

When you change the encryption level, you can specify whether to:

Re-encrypt existing encrypted data with the new algorithm.
Leave existing data encrypted with the old encryption algorithm and use the new algorithm only for new (future) encryptions.

By default, when you change the encryption algorithm, the device uses the new algorithm to re-encrypt existing encrypted data as well as to encrypt new data. If you manage devices with Panorama, they may be on different versions of PAN-OS and may not support the newest encryption algorithms. Be sure you understand which encryption algorithms Panorama and its managed devices support before you change the encryption algorithm or re-encrypt data that has already been encrypted.

High Availability (HA) Pair Considerations

The master key on each NGFW in a high availability (HA) pair must be identical. You'll need to manually enter the master key on each NGFW. For more information, see Configure a Master Key.
Both NGFWs in an HA pair must use the same encryption algorithm to avoid becoming out of sync.

Use AES-256-GCM encryption on both NGFWs in the HA pair.