: Master Key Encryption Enhancement
Focus
Focus

Master Key Encryption Enhancement

Table of Contents
End-of-Life (EoL)

Master Key Encryption Enhancement

On physical and virtual Palo Alto Networks appliances, you can now configure master key encryption using the AES-256-CBC or the AES-256-GCM (introduced in PAN-OS 10.0) encryption algorithm to encrypt data such as keys and passwords. AES-256-GCM improves your security posture by providing stronger encryption than AES-256-CBC and includes a built-in integrity check. The master key uses the configured encryption algorithm to encrypt sensitive data stored on the firewall and on Panorama.
To use AES-256-GCM, the devices Panorama manages and Panorama must run PAN-OS 10.0. This also applies to HA pairs. The default encryption algorithm that the master key uses to encrypt data is AES-256-CBC, to maintain compatibility among devices that Panorama manages and between firewall HA pairs until all of the devices can upgrade to PAN-OS 10.0. The crypto entries in the System log show master key activity.
Upgrade all appliances so that they use the strongest encryption algorithm they can use.
When you change the encryption algorithm, you can also specify whether to:
  • Re-encrypt existing encrypted data with the new algorithm (default).
  • Leave existing data encrypted with the old encryption algorithm and use the new algorithm only for new (future) encryptions.
The master key generates a finite number of unique encryptions before it runs out of unique combinations and must repeat encryptions. Change the master key before encryptions repeat to ensure that the master key creates unique encryptions.