Changing the AutoConfigBackup Device Key¶
The Device Key for the Automatic Configuration Backup Service can be changed at any time.
Changing the device key involves invoking the Change Key function from AutoConfigBackup settings and then completing the process using this Change Device Key Page.
Danger
Changing the Device Key disconnects AutoConfigBackup from all previous backups stored using the old key.
Administrators can still access the old backups so long as they know the old device key and encryption password. Securely store a backup copy of the current device key(s) before changing the device key.
Device Key Change Procedure¶
To change the Device Key:
Open the pfSense® software GUI in a web browser
Navigate to Services > Auto Config Backup, Settings tab
Click
Change Key
Use the
icons in each section to download and securely store copies of the Current Device Key and, if present, the Legacy Device Key
Click
Generate New Key or manually enter a New Device Key
Read the Warning section
Check the confirmation box
Click
Update Key
Click OK on the confirmation dialog
For an explanation of each field on this page, refer to the next section, Change Device Key Page.
Change Device Key Page¶
The Change Device Key page allows administrators to change the AutoConfigBackup device key. It contains numerous warnings and explanations which guide users through the process.
Danger
Changing the Device Key disconnects AutoConfigBackup from all previous backups stored using the old key.
Administrators can still access the old backups so long as they know the old device key and encryption password. Securely store a backup copy of the current device key(s) before changing the device key.
Current Device Key¶
The Current Device Key section displays the current randomized device key stored in the device configuration.
The GUI will not display this section if AutoConfigBackup is enabled and using a legacy device key.
The section also includes a count of backup entries on the AutoConfigBackup service associated with the current device key.
Tip
Use the icon in this section to download a copy of the current
device key, then store it in a safe and secure location.
If there are zero hosted backups for the current device key, then it may not be necessary to store this key as there isn’t anything left to access using this device key.
Legacy Device Key¶
The Legacy Device Key section displays the legacy style device key. This older key style is based on the SHA256 hash of the SSH public key on the device.
The GUI will not display this section if the device does not contain any SSH host keys. For example, on a fresh installation where SSH has never been enabled.
The section also includes a count of backup entries on the AutoConfigBackup service associated with the legacy device key.
Tip
Use the icon in this section to download a copy of the legacy
device key, then store it in a safe and secure location.
If there are zero hosted backups for the legacy device key, then it may not be necessary to store this key as there isn’t anything left to access using this device key.
New Device Key¶
This field sets a new AutoConfigBackup device key. The key must be exactly
64
hexadecimal characters in length (0
through 9
, a
through
f
).
Use the Generate New Key button next to the text field to
generate a new randomized key in the correct format.
It is also possible to enter an existing device key in this field to make AutoConfigBackup use a device key from a previous installation.
Warning
Treat this key as a secret!
Anyone who has this key can manipulate the backups for this key.
Warning¶
This checkbox serves as a confirmation that the administrator has read the warnings and acknowledges the consequence that changing the device key will disconnect AutoConfigBackup from backups stored under the old device key.
After reading and understanding the warnings and saving the old keys, check the box in this section to enable the Update Key button.
Update Key¶
Clicking the Update Key button will store the new device key in
the configuration, replacing the current device key in the process.
Note
This button is disabled by default. Check the Warning checkbox to enable this button.
After clicking the button the GUI presents one more confirmation box using a JavaScript alert. Click OK to the confirmation dialog to complete the process.
If the New Device Key is not valid, the page will display an error without taking any action.