Use the AES-256-GCM or AES-256-CBC encryption algorithm
to encrypt and secure the master key.
You configure the master key encryption algorithm
level and whether to re-encrypt all currently encrypted data with
a new encryption algorithm level using the CLI. Depending on the
order of the keywords, you can change the encryption level or you
can change the encryption level and also specify whether to re-encrypt
previously encrypted data.
The following operational CLI command
changes the encryption level and automatically re-encrypts all currently
encrypted data with the specified encryption level:
admin@PA-NGFW>request encryption-level level <0|1|2>
The
following operational CLI command changes the encryption level and
specifies whether to re-encrypt all currently encrypted data with
the new encryption level:
admin@PA-NGFW>request encryption-level re-encrypt <yes|no> level <0|1|2>
Keyword | Options |
level | 0 = Use the default algorithm
(AES-256-CBC) to encrypt data 1 = Use
the AES-256-CBC algorithm to encrypt data 2 =
Use the AES-256-GCM algorithm to encrypt data The firewall
re-encrypts all currently encrypted data and encrypts new sensitive
data using the specified algorithm. If you don’t want to re-encrypt
existing encrypted data with the new algorithm, specify re-encrypt no in
the command string. This prevents the firewall from automatically
re-encrypting data that the firewall has already encrypted.
Only
use AES-256-GCM when Panorama and all of its managed devices (or
both devices in an HA pair) run PAN-OS 11.0 or greater and configure all
of the devices to use AES-256-GCM. Managed or paired devices that
use different encryption levels may become out of sync.
|
re-encrypt | no = Do not re-encrypt currently
encrypted data. The firewall does not re-encrypt currently encrypted
data. Currently encrypted data remains encrypted with whichever
algorithm the firewall originally used to encrypt the data. The
firewall uses the specified algorithm only to encrypt sensitive
data in the future. yes = Re-encrypt currently
encrypted data with the specified algorithm and use that algorithm
to encrypt sensitive data in the future. |
Use the operational CLI command show system masterkey-properties to
verify the encryption algorithm (level) currently configured on the
device, for example:
admin@PA-NGFW>show system masterkey-properties
Master key expires at: unspecified
Reminders will begin at: unspecified
Master key on hsm: no
Automatically renew master key lifetime: 0
Encryption Level: 1
The output shows that the current
encryption level is 1, which is AES-256-CBC.
If you downgrade
to an earlier version of PAN-OS, the device automatically reverts
the encryption algorithm to a level that the downgraded PAN-OS version supports
and automatically re-encrypts encrypted data using that level so
that the device can decrypt and use the data as needed. For example,
if your device is on PAN-OS 11.0 and uses AES-256-GCM as the encryption
algorithm (which is not supported on earlier versions of PAN-OS),
and you downgrade to PAN-OS 9.1, then the device re-encrypts the
encrypted data to AES-256-CBC, which is supported in PAN-OS 9.1.