Adding this documentation on how to generate encrypted passwords for use with the Sophos XG API. The published Sophos documentation is incorrect and lacks some verbosity.
The Sophos process indicates that you should run the aes-128-cbc-tool via the Advanced Shell within the console. (Login to console -> Device Management [5] -> Advanced Shell [3])
The hash is in hex format, and uses AES 128 bit CBC as the tool above indicates.
The most difficult part was discovering that the published key “Th1s1Ss1mPlygR8API” from the bottom of the documentation above is incorrect. The correct key is “Th1s1Ss1mPlygR8A” because it is 16 characters which is required for the block size.
Using this decryptor (sadly the encryptor doesn’t work for this site) Online Tool for AES Encryption and Decryption I was able to take the hex value from the documentation (8b1e6eb1b182b1806390ffefc99753fc) and decrypt it.
It immediately throws an error that they key is too long. Reduce it by two characters to “Th1s1Ss1mPlygR8A” though and it works.
The AES output is base64 encoded -- decrypt that and you get the text "admin". This isn't published in the documentation but it makes sense as a demo password.
Now since I mentioned before that the Encrypt portion of the tool above didn’t work I had to find a new encryptor. This was somewhat difficult because many require an initialization vector for the encryption which Sophos doesn’t utilize.
I found this one https://encode-decode.com/aes128-encrypt-online/ which let me encrypt it to AES 128 using the shortened key. It outputs to base64 encoding though and the Sophos API uses hex.
Convert the outputted base64 string to hex though and you're good to go. I have tested this on SFOS 18.5.3 firmware and it works. Wasn't able to post screenshots but can provide for anyone else working through this issue.
As a final note - I have not tried using the Sophos aes-128-cbc-tool with the shortened API key yet. Would be interested if that tool does in fact work so if anyone tries it before me let me know!
This thread was automatically locked due to age.