A master key encrypts all private keys and passwords on the firewall and Panorama. If you have security requirements to store your private keys in a secure location, you can encrypt the master key using an encryption key that is stored on an HSM. The firewall or Panorama then requests the HSM to decrypt the master key whenever it is required to decrypt a password or private key on the firewall. Typically, the HSM is in a highly secure location that is separate from the firewall or Panorama for greater security.
The HSM encrypts the master key using a wrapping key. To maintain security, you must occasionally change (refresh) this wrapping key.
Firewalls configured in FIPS/CC mode do not support master key encryption using an HSM.
The following topics describe how to encrypt the master key initially and how to refresh the master key encryption:
Encrypt the Master Key
If you have not previously encrypted the master key on a firewall, use the following procedure to encrypt it. Use this procedure for first time encryption of a key, or if you define a new master key and you want to encrypt it. If you want to refresh the encryption on a previously encrypted key, see Refresh the Master Key Encryption.
Encrypt a Master Key Using an HSM
Select Device > Master Key and Diagnostics.
Specify the key that is currently used to encrypt all of the private keys and passwords on the firewall in the Master Key field.
If changing the master key, enter the new master key and confirm.
Select the HSM check box. Life Time —The number of days and hours after which the master key expires (range 1-730 days). Time for Reminder —The number of days and hours before expiration when the user is notified of the impending expiration (range 1–365 days).
Click OK.
Refresh the Master Key Encryption
As a best practice, periodically refresh the master key encryption by rotating the wrapping key that encrypts it. The frequency of the rotation depends on your application. The wrapping key resides on your HSM. The following command is the same for SafeNet Network and Thales nShield Connect HSMs.
Refresh the Master Key Encryption
Use the following CLI command to rotate the wrapping key for the master key on an HSM: > request hsm mkey-wrapping-key-rotation If the master key is encrypted on the HSM, the CLI command will generate a new wrapping key on the HSM and encrypt the master key with the new wrapping key. If the master key is not encrypted on the HSM, the CLI command will generate new wrapping key on the HSM for future use. The old wrapping key is not deleted by this command.

Related Documentation