Why is a Decryption Key Required When Loading an Imported Configuration File?
The decryption key is required when the source Palo Alto Networks firewall (from where the configuration file was exported), has a Master Key configured. The same key that was used on the source firewall must be used on the destination firewall when importing the configuration.
The Master Key is used to encrypt private keys on the firewall, which includes the RSA key used to authenticate the server when logging into CLI and the private key used by the web server when logging into the web interface. Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied. The Master Key provides more security to those passwords.
The Master Key is configured at Device > Master Key and Diagnostics: