A master key encrypts all private keys and passwords
on the firewall and Panorama. If you have security requirements
to store your private keys in a secure location, you can encrypt
the master key using an encryption key that is stored on an HSM.
The firewall or Panorama then requests the HSM to decrypt the master key
whenever it is required to decrypt a password or private key on
the firewall. Typically, the HSM is in a highly secure location
that is separate from the firewall or Panorama for greater security.
The HSM encrypts the master key using a wrapping key. To maintain
security, you must occasionally change (refresh) this wrapping key.
Firewalls configured in FIPS/CC mode do not support master
key encryption using an HSM.
The following topics describe how to encrypt the master key initially
and how to refresh the master key encryption: