cfg export + master key hash

L2 Linker

cfg export + master key hash

Dear Community,


I have found this side note in an article regarding the master key on the firewall.


"Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied."


Basically its the exact answer of the question I originally had. I am facing a situation where a firewall crashed. I have received the new firewall and have the certificates and the running config saved locally. 


When trying to import the config the firewall skips basically every entries in regards to password or keys and shows this as error messages. I do understand the firewall is unable to decrypt those data without a matching master key.


However from where do I retrive the master key hash and do I assume correclty to use the hash as the password for the imported config?




Kind regards,



L7 Applicator

Re: cfg export + master key hash


That's not how it works. If you don't know what the previous master key was set to at the time of the crash, it doesn't matter that you have the hash values. The hash values are created with the device's master key, so a hash value without the same master key in use is absolutely pointless as the system is unable to read it. The master key between the devices either need to match, or you will need to regenerate all passwords and keys. 



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!