Configure Master Key Encryption Level
Focus
Focus

Configure Master Key Encryption Level

Table of Contents
End-of-Life (EoL)

Configure Master Key Encryption Level

Use the AES-256-GCM or AES-256-CBC encryption algorithm to encrypt and secure the master key.
You configure the master key encryption algorithm level and whether to re-encrypt all currently encrypted data with a new encryption algorithm level using the CLI. Depending on the order of the keywords, you can change the encryption level or you can change the encryption level and also specify whether to re-encrypt previously encrypted data.
The following operational CLI command changes the encryption level and automatically re-encrypts all currently encrypted data with the specified encryption level:
admin@PA-NGFW>request encryption-level level <0|1|2>
The following operational CLI command changes the encryption level and specifies whether to re-encrypt all currently encrypted data with the new encryption level:
admin@PA-NGFW>request encryption-level re-encrypt <yes|no> level <0|1|2>
KeywordOptions
level
0 = Use the default algorithm (AES-256-CBC) to encrypt data
1 = Use the AES-256-CBC algorithm to encrypt data
2 = Use the AES-256-GCM algorithm to encrypt data
The firewall re-encrypts all currently encrypted data and encrypts new sensitive data using the specified algorithm. If you don’t want to re-encrypt existing encrypted data with the new algorithm, specify re-encrypt no in the command string. This prevents the firewall from automatically re-encrypting data that the firewall has already encrypted.
Only use AES-256-GCM when Panorama and all of its managed devices (or both devices in an HA pair) run PAN-OS 11.0 or greater and configure all of the devices to use AES-256-GCM. Managed or paired devices that use different encryption levels may become out of sync.
re-encrypt
no = Do not re-encrypt currently encrypted data. The firewall does not re-encrypt currently encrypted data. Currently encrypted data remains encrypted with whichever algorithm the firewall originally used to encrypt the data. The firewall uses the specified algorithm only to encrypt sensitive data in the future.
yes = Re-encrypt currently encrypted data with the specified algorithm and use that algorithm to encrypt sensitive data in the future.
Use the operational CLI command show system masterkey-properties to verify the encryption algorithm (level) currently configured on the device, for example:
admin@PA-NGFW>show system masterkey-properties
Master key expires at: unspecified
Reminders will begin at: unspecified
Master key on hsm: no
Automatically renew master key lifetime: 0
Encryption Level: 1
The output shows that the current encryption level is 1, which is AES-256-CBC.
If you downgrade to an earlier version of PAN-OS, the device automatically reverts the encryption algorithm to a level that the downgraded PAN-OS version supports and automatically re-encrypts encrypted data using that level so that the device can decrypt and use the data as needed. For example, if your device is on PAN-OS 11.0 and uses AES-256-GCM as the encryption algorithm (which is not supported on earlier versions of PAN-OS), and you downgrade to PAN-OS 9.1, then the device re-encrypts the encrypted data to AES-256-CBC, which is supported in PAN-OS 9.1.