As most of you know, we have released the XG firmware v18 MR3 with security and hardening enhancements, including SSMK (secure storage master key) for the encryption of sensitive data. We wanted to ensure everyone is aware of the new security feature. To benefit from this new security enhancement, additional fixes, and performances, make sure to update to v18 MR3.
The secure storage master key provides extra protection for the account details stored on the XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The accounts have access to services, such as directory services, email servers, FTP servers, and proxies. They also include user accounts stored on the XG Firewall.
You don't enter the master key when you export a configuration.
A different XG Firewall.
The current device if you reset or reimaged its firmware after exporting the configuration.
For more information, please see the Sophos Firewall OS Secure Storage FAQ.
Yes, I've worked that out, but it should be for manual backups as well.
Sophos should be giving us a choice, not forcing out hand to make our jobs harder.
I don't want to use a master key. This is something we don't need and will just make life more difficult for our staff who manage more than 150 different Sophos XG devices.
"Until you create the master key, scheduled backups will run but wont benefit from the extra protection"
Yet I can't click on "backup now" because it comes up with an error saying I have to create a key.
This exception is only for the scheduled backups!
I never got a popup to create the key. There was an alert in the alert list but when I try to set the key I just get an error "Couldn't set the secure storage master key.". Also all 19 access points are offline and despite 3 escalations within Sophos Support they still haven't got them going yet, 24 hours later, which i'm pretty sure is related to the SSMK issue (logs reporting an issue with key length).
Thank you for reaching out!
Your case has been escalated to Development under the ID NC-65133
Agreed. @Sophos, please change as an option that can be opted out of. I don't want this alert every time we log in.
Where do I create the password? I pressed skip and can't find where to enable it.
You should see the SSMK setup prompt on your next login.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
I have a similar issue with SSMK, I also can't modify local passwords - according to support this is due to 'secure storage initialization in HA'. I have been instructed to downgrade the firmware on both firewalls then upgrade them again. This is fine if you are on a home network, but not in production.
Unfortunately we have the same issue with xg 550 and it has been in support for a while. We cannot add RED's nor AP's. We cannot anymore start a HA with that firewall. It went to some upper level of support but at least yet no answer what to do. Its in production so its impossible to just reinstall or something. One way is to import all possible config to its former passive HA partner, which has been reset to factory defaults, and accepted SSMK, and to transfer the license to that appliance. Then, factory reset for the former primary appliance and then performing HA connection again, it as a slave.