Use the AES-256-GCM or AES-256-CBC encryption algorithm to encrypt and secure the
master key.
You configure the master key encryption algorithm level and whether to
re-encrypt all currently encrypted data with a new encryption algorithm level using
the CLI. Depending on the order of the keywords, you can change the encryption level
or you can change the encryption level and also specify whether to re-encrypt
previously encrypted data.
The following operational CLI command changes the
encryption level and automatically re-encrypts all currently encrypted data with the
specified encryption
level:
admin@PA-NGFW>request encryption-level level <0|1|2>
The
following operational CLI command changes the encryption level and specifies whether
to re-encrypt all currently encrypted data with the new encryption
level:
admin@PA-NGFW>request encryption-level re-encrypt <yes|no> level <0|1|2>
| Keyword | Options |
|---|
level | 0 = Use the default
algorithm (AES-256-CBC) to encrypt
data 1 = Use the AES-256-CBC
algorithm to encrypt data 2 = Use
the AES-256-GCM algorithm to encrypt data The firewall
re-encrypts all currently encrypted data and encrypts new
sensitive data using the specified algorithm. If you don’t want
to re-encrypt existing encrypted data with the new algorithm,
specify re-encrypt no in the command
string. This prevents the firewall from automatically
re-encrypting data that the firewall has already
encrypted.
Only use AES-256-GCM when Panorama
and all of its managed devices (or both devices in an HA
pair) run PAN-OS 11.1 or greater and configure all of the
devices to use AES-256-GCM. Managed or paired devices that
use different encryption levels may become out of
sync. |
re-encrypt | no = Do not re-encrypt
currently encrypted data. The firewall does not re-encrypt
currently encrypted data. Currently encrypted data remains
encrypted with whichever algorithm the firewall originally used
to encrypt the data. The firewall uses the specified algorithm
only to encrypt sensitive data in the
future. yes = Re-encrypt
currently encrypted data with the specified algorithm and use
that algorithm to encrypt sensitive data in the
future. |
Use the operational CLI command show system
masterkey-properties to verify the encryption algorithm (level)
currently configured on the device, for
example:
admin@PA-NGFW>show system masterkey-properties
Master key expires at: unspecified
Reminders will begin at: unspecified
Master key on hsm: no
Automatically renew master key lifetime: 0
Encryption Level: 1
The output shows that the current encryption
level is 1, which is AES-256-CBC.
If you downgrade to an earlier version of
PAN-OS, the device automatically reverts the encryption algorithm to a level that
the downgraded PAN-OS version supports and automatically re-encrypts encrypted data
using that level so that the device can decrypt and use the data as needed. For
example, if your device is on PAN-OS 11.1 and uses AES-256-GCM as the encryption
algorithm (which is not supported on earlier versions of PAN-OS), and you downgrade
to PAN-OS 9.1, then the device re-encrypts the encrypted data to AES-256-CBC, which
is supported in PAN-OS 9.1.
