Support for HSM to Protect XG Appliance Private Keys
Sophos is heavily promoting TLS inspection, especially with the engine improvements in v18.
Given that those features require creation and enterprise wide trust of an issuing CA certificate for the XG, there are obvious concerns about the security of this key.
Can Sophos include support for cryptographic Hardware Security Modules (HSM) via network and/or USB to protect the confidentiality of these crucial keys and provide a higher level of confidence in defending against unauthorised extraction of the private key from the XG appliance.
The client authentication feature also requires enterprise wide trust of a private key for the XG appliance(s).
Even in a well designed enterprise PKI where a root CA has been deployed with a HSM and subordinate issuing certificates have been granted to XG appliances to make rescinding compromised or legacy private keys easier, additional protection for the use of those keys by XG would be desirable.