Sophos XG Firewall v18 MR3: SSMK(Secure Storage Master Key) for encryption of sensitive data.

Hey Community,

As most of you know, we have released the XG firmware v18 MR3 with security and hardening enhancements, including SSMK (secure storage master key) for the encryption of sensitive data. We wanted to ensure everyone is aware of the new security feature. To benefit from this new security enhancement, additional fixes, and performances, make sure to update to v18 MR3. 

Secure storage master key

The secure storage master key provides extra protection for the account details stored on the XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The accounts have access to services, such as directory services, email servers, FTP servers, and proxies. They also include user accounts stored on the XG Firewall.

Default administrator

  • You can only create the secure storage master key when you sign in using the default administrator's credentials. The XG Firewall provides a default super administrator with the username set to admin. For more details of the default administrator, see Administration > Device access and scroll down to Default admin password settings.

  • Other administrators can see the alert for creating the secure storage master key on the control center, but can't create the key when they sign in using their own credentials.

New secure storage master key

  • If you lose the master key, go to the command-line console to create a new one (2. System Configuration > 5. Reset secure storage master key).
  • You can't recover backups, and configuration exports made using the old key, but all new backups and exports will use the new key.

Important note:
  • If you lose the secure storage master key, you can't recover it. Make sure you store it in a password management system or another secure location.
  • If you lose the SSMK used to create a backup, you won’t be able to restore it completely.
  • If you change the SSMK to a new one and then want to restore a backup generated before the new SSMK was generated, you still need to remember and use the old SSMK to restore that backup.

Backup and restore

  • You must enter the secure storage master key when you restore a backup configuration that has a master key. If you don't enter the master key, you can't restore backups that have a master key.
  • The master key is in addition to the backup encryption password.
  • Scheduled backup
    • Until you set the master key, XG Firewall continues to take scheduled backups, but the backups won’t have the master key’s extra protection.
  • Manual backup
    • You must create the master key before taking a manual backup.
Important note:
  • After you create the master key, all new backups use it to secure sensitive data. If you don't enter the master key, you can't restore these backups. However, you can restore backups taken before the master key was set.
  • In case a backup should be shared with Technical Support, our support team will need both passwords: the encryption password for the backup and the SSMK used on that backup.

Import export

  • You don't enter the master key when you export a configuration.

  • Configurations without the master key
    • You could export the configuration and import it to the same firewall along with sensitive information and the dependent configurations if the firmware wasn't reset or reimaged after the export.
    • You won't be able to import sensitive information and dependent configurations if you're importing the configuration to the following devices:
      • A different XG Firewall.

      • The current device if you reset or reimaged its firmware after exporting the configuration.

    • You'll need to reenter or recreate the information later. You'll be able to import the rest of the configuration.
  • Configurations with the master key
    • You must enter the master key when you import the configuration to the following devices:
      • A different XG Firewall.
      • The current device if you reset or reimaged its firmware after exporting the configuration.
    • If you don't enter the master key, you can import the configuration, but you'll lose sensitive information and dependent configurations. For example, if you don't enter the master key when you import a configuration containing users and their dependent configurations, the users and their dependent configurations won't be imported. You'll need to reenter or recreate the information later.

  • Configurations without sensitive information
    • When you import a configuration that doesn't contain sensitive information, you don't need to enter the master key.

High availability

  • The master key is synchronized between the two HA devices in both active-active and active-passive modes.
  • The master key continues on a standalone device and on both devices when you disable HA on either device.
  • In active-passive mode, you can only set and reset the master key through the primary device.

 Factory configuration / re-image

  • The XG Firewall removes the secure storage master key in the following instances:
    • Resetting to factory configuration.
    • Reimaging the firewall.
  • After resetting or reimaging the firewall, you can enter the master key to restore or import the configurations.
  • Rollback to an earlier version
    • After you set the master key, if you roll back to the previous version, you continue to have the previous configuration. You'll only lose the configuration changes you had made prior to the rollback.

KBA & documentation links

FAQ

What's encrypted?

  • Currently, the sensitive information that will be encrypted are user passwords, wifi AP secrets, hotspot vouchers, and SPX users.
  • In future releases, the encrypted information will include auth servers, email servers, BATV secrets, USB stick passwords, PPoE passwords, IPsec PSK, SSLVPN, RADIUS secrets, parent proxy, DynDNS, private keys for SSL certificates, VPN certificates, SyncSec certificates, and TLS decrypt certificates.

For more information, please see the Sophos Firewall OS Secure Storage FAQ.



Changed import/export screenshot
[edited by: H_Patel at 4:40 PM (GMT -7) on 14 Oct 2020]