search cancel

Encryption of local storage on the ProxySG appliance

book

Article ID: 240401

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

How is the local storage on the ProxySG appliance encrypted?

If a ProxySG hard drive is stolen, how is the data protected?

Resolution

The appliance always encrypts passwords, private keys, and other sensitive data before they are written to disk so that hard drive theft would not compromise network security. Specifically, the appliance:

  • Encrypts asymmetric private keys using standard OpenSSL passphrase-based AES encryption. Physical appliances store the master encryption key in a non-removable Flash on the motherboard. In the event of a stolen hard disk, malicious actors would not have access to the passphrase required to recover any of the RSA keys, nor could they recover any of the passwords or other secrets encrypted using those keys. You can also set a passphrase for importing or exporting private keys.
  • Encrypts passwords and other sensitive data using RSA encryption. By default, the encryption uses the configuration-passwords-key keyring and a 2048-bit RSA key. The appliance also uses this keyring to encrypt sensitive output for CLI commands (such as # (config) security password-display encrypted and # show configuration). 

Additional Information

For information on protecting secret data in configuration archives, see About the configuration-passwords-key in the ProxySG administration documentation.