Secure Storage Master Key

I am curious about this request. As this is somewhat similar to Backup passwords in the past, did you use backup passwords? 

So to have several Keys or one key for all appliance, if you use a password safe application, should be easy to manage. Because you will actually need this in different scenarios: Backup/Restore, API Export/import. 

Yes, we use backup passwords, and we're happy just leaving it at that. There's nothing wrong with doing this and it meets our purposes just fine.

I don't want to have to get my staff to log in to 150 appliances, create 150 different keys, store them somewhere and then have to refer to them all the time for absolutely no reason other than Sophos says we have to.

We only need to do this because Sophos is forcing us to, which is ridiculous. It should be optional.

Hi Stuart,

the master key is required to do a restore as well as the backup file password, to me this is an overkill and you still cannot display the backup password.

Ian

I don't understand the problem with this. It's an encryption key to encrypt sensitive data; do you not want the sensitive data encrypted? - my only complaint would be that it should have been part of the OS since day 1, not appear in v18! I can see it may be a bit of a nuisance if you have a lot of XGs to upgrade but it would just be one more step in the upgrade process. As for another bit of data to record, well you already have to organise storing data (like login and backup passwords), so it is only one more data field.

The bit I don't understand is why it doesn't replace the backup password. I suspect this is a legacy issue and maybe in the future it will.

The ability to display passwords lowers security. I don't want it and I don't see the need for it.

I don't understand the problem with this. It's an encryption key to encrypt sensitive data; do you not want the sensitive data encrypted? - my only complaint would be that it should have been part of the OS since day 1, not appear in v18! I can see it may be a bit of a nuisance if you have a lot of XGs to upgrade but it would just be one more step in the upgrade process. As for another bit of data to record, well you already have to organise storing data (like login and backup passwords), so it is only one more data field.

The bit I don't understand is why it doesn't replace the backup password. I suspect this is a legacy issue and maybe in the future it will.

The ability to display passwords lowers security. I don't want it and I don't see the need for it.

I don't have any sensitive data to encrypt. But even if I did, let me download the key and use the same key on other devices. I don't want 8 different keys for the same customer. Either way, it should be my choice whether I want to use a key or not. They make annoying changes like this, but still can't implement feature requests from 6 years ago with 1000 votes. Just yet another reason to move away from Sophos.

Hi Jasp,

your answer is not consistent. SSID passwords can be reviewed and changed which is a greater risk than changing a backup password. If you loose the backup password you   cannot do a restore, so you cannot use any historical backups for a restore which is bad news.

ian

Surely you can just enter the same key for each of a customer's devices? We use one key per customer.

I do understand your frustration though. I've said it before but their seems to be little business understanding in the development team. They really need to get to grips with how people use their products and what they need, if they want to be successful. Their product development seems to be driven by nerds isolated from the 'real' world. (I mean that kindly, I consider myself a nerd).

Loosing the backup password was/is always a bad idea. I know, this is something, which occurs quite frequently in the field and by all means, i would highly recommend to move to a password store application by now. 

I am still interested in the disadvantages of this feature - By all means, all partners/customers should use a password store application in any case. IT Security adviser around the world are highly recommend to do so. 

Looking at the current situation, this should be a high priority to store all data in a secure manner. To do so, a simple 1 password per Appliance seems to be "ok" from my point of view, as i simply add this into my password store, which is shared across all admins. 

Its more about doing everything in your power to protect everything you can, than to disable all features because you do not want to use them. The current situation moves more people at home and hence more applications and appliances are open to the world. 

PS: Recommend the FAQ Document about this feature: https://sophos.my.salesforce.com/sfc/p/#30000001GN6a/a/3Z0000002ca3/GcqIPheP7IyXv39883gnYEvzf5gVj.VePOxrhc_m4OE

My answer is completely consistent, it is Sophos who aren't consistent. I don't believe you should be able to reveal any passwords. Wherever it is in our control we disable password reveals.

Like it or not, password management is an essential part of today's IT. You shouldn't be 'losing' a password. I was actually a bit impressed that Sophos make you tick a box to say you have stored the password securely and outlining the consequences of losing it.