Master Key Encryption Enhancement
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Master Key Encryption Enhancement
On physical and virtual Palo Alto Networks appliances,
you can now configure master key encryption using
the AES-256-CBC or the AES-256-GCM (introduced in PAN-OS 10.0) encryption
algorithm to encrypt data such as keys and passwords. AES-256-GCM
improves your security posture by providing stronger encryption
than AES-256-CBC and includes a built-in integrity check. The master
key uses the configured encryption algorithm to encrypt
sensitive data stored on the firewall and on Panorama.
To use AES-256-GCM, the devices Panorama manages and Panorama
must run PAN-OS 10.0. This also applies to HA pairs. The default
encryption algorithm that the master key uses to encrypt data is
AES-256-CBC, to maintain compatibility among devices that Panorama
manages and between firewall HA pairs until all of the devices can
upgrade to PAN-OS 10.0. The crypto entries in the System
log show master key activity.
Upgrade all appliances so that they use
the strongest encryption algorithm they can use.
When you change the encryption algorithm, you can also specify
whether to:
- Re-encrypt existing encrypted data with the new algorithm (default).
- Leave existing data encrypted with the old encryption algorithm and use the new algorithm only for new (future) encryptions.
The master key generates a finite number of unique encryptions
before it runs out of unique combinations and must repeat encryptions. Change the master key before
encryptions repeat to ensure that the master key creates
unique encryptions.