« Back to the Da Slop Pit Forum

manually encrypting/decrypting data with your pan-os device master key

Posted by rqu69

posted

Forum: Da Slop Pit Group

the device master key is used for encrypting secrets in your config, generating api tokens, and probably a bunch of other stuff i havent looked into much yet. despite the default master key ('p1a2l3o4a5l6t7o8') being widely available, there isn't any public information about how to use this key to manually encrypt and decrypt data.

by default, and on all systems before pan-os 10.0, master key encryption uses aes-256-cbc. master keys are required to be 128 bits, so clearly a key derivation step is required.

the key derivation process is pretty simple. the constant string "pannetwork" is hashed with md5, appended to the master key, and hashed again. since this results in only 128 bits of output, the final key is constructed by repeating the output twice.

x = MD5(KEY || MD5("pannetwork"))
derived_key = x || x

yeah i dont get why they did it this way either.

anyways i also wrote some code so you dont have to. that code also takes care of calculating the sha1 of the plaintext and returning the base64 string that you'll see in most places around pan-os


Report Topic

0 Replies