Master Key Encryption
Focus
Focus

Master Key Encryption

Table of Contents
End-of-Life (EoL)

Master Key Encryption

Encrypt the master key to secure it against being compromised and enabling an attacker to decrypt your keys and other sensitive data.
On physical and virtual Palo Alto Networks devices, you can configure the master key to use the AES-256-CBC or the AES-256-GCM (introduced in PAN-OS 10.0) encryption algorithm to encrypt data such as keys and passwords. AES-256-GCM provides stronger encryption than AES-256-CBC and improves your security posture. It also includes a built-in integrity check. The master key uses the configured encryption algorithm to encrypt sensitive data stored on the firewall and on Panorama. When you set the encryption algorithm to AES-256-GCM, you can still use an HSM to encrypt the master key with an encryption key that is stored on the HSM.
The default encryption algorithm that the master key uses to encrypt data is AES-256-CBC—the same algorithm that the master key used prior to PAN-OS 10.0. AES-256-CBC is the default encryption level because when you manage firewalls with Panorama, the managed firewalls may be on different PAN-OS releases, and firewalls on PAN-OS releases earlier than PAN-OS 10.0 do not support AES-256-GCM. This is why Panorama must use the lowest level of encryption that its managed devices can use. For example, if some managed devices run PAN-OS 10.0 and some run earlier versions, Panorama must use AES-256-CBC. However, if all managed devices run PAN-OS 10.0 or later, then Panorama and all of its managed devices can use AES-256-GCM.
Palo Alto Networks recommends using AES-256-GCM level 2 for master key encryption.
Use the same encryption level on Panorama and its managed devices and use the same encryption level on firewall pairs. Upgrade devices to use the strongest possible encryption algorithm. If all Panorama-managed devices run PAN-OS 10.0, use AES-256-GCM on all devices. The configuration of managed or paired devices that use different encryption levels may become out of sync.
When you change the encryption algorithm to AES-256-GCM, devices use it instead of AES-256-CBC to encrypt sensitive data. When you change from one algorithm to another, you can also specify whether to:
  • Re-encrypt existing encrypted data with the new algorithm.
  • Leave existing data encrypted with the old encryption algorithm and use the new algorithm only for new (future) encryptions.
By default, when you change the encryption algorithm, the device uses the new algorithm to re-encrypt existing encrypted data as well as to encrypt new data. If you manage devices with Panorama, they may be on different versions of PAN-OS and may not support the newest encryption algorithms. Be sure you understand which encryption algorithms Panorama and its managed devices support before you change the encryption algorithm or re-encrypt data that has already been encrypted.