The master key can only generate a finite number of unique encryptions before it runs out of unique combinations and must repeat encryptions. The firewall creates unique encryptions using the AES-256-GCM encryption algorithm with an Initialization Vector (IV). An IV is an arbitrary number that should only be used one time to create an encryption to ensure that each encryption is unique.

Each encryption using the master key and IV must be unique to prevent forgery attacks. The firewall meets the uniqueness requirement that the probability that the authenticated encryption is ever created with the same IV and the same key on two or more distinct sets of input data is no greater than 2³².

When the IV runs through all of its unique values, the IV value repeats. When the IV value repeats, using the same master key and the repeated IV value to encrypt data means that the encryption is the same as an encryption previously used on other data. Change the Master Key before the system runs out of unique encryptions to prevent the firewall from using the same encryption (master key and IV value combination) on more than one piece of sensitive data. Unique encryption combinations should never be repeated or reused.

To track when you need to change the master key, set the master key Lifetime and Reminder values on each appliance (DeviceMaster Key and Diagnostics and edit the master key). Set the values conservatively, based on the expected volume of master key encryptions, to ensure that all encryptions are unique and no encryption combinations are repeated or reused.