I have some questions around the backup encryption key:
- What is the AES operation mode (e.g. CBC, GCM, CTR, etc.)?
- what is the key hierarchy. I assume that eventually, the Unit Key will protect all other keys, but do we then only have the master key protecting the SSL private keys or are there more levels?
- How is the master key being shared between F5 units?
- How is the unit key being stored and encrypted?
UCS encryption is based on GnuPG (https://support.f5.com/csp/article/K5437) which uses by default AES-128+CFB (https://www.rfc-editor.org/rfc/rfc4880#section-13.9)
Regarding the master key, you have more info below