Changing the AutoConfigBackup Device Key

The Device Key for the Automatic Configuration Backup Service can be changed at any time.

Changing the device key involves invoking the Change Key function from AutoConfigBackup settings and then completing the process using this Change Device Key Page.

Danger

Changing the Device Key disconnects AutoConfigBackup from all previous backups stored using the old key.

Administrators can still access the old backups so long as they know the old device key and encryption password. Securely store a backup copy of the current device key(s) before changing the device key.

Device Key Change Procedure

To change the Device Key:

  • Open the pfSense® software GUI in a web browser

  • Navigate to Services > Auto Config Backup, Settings tab

  • Click fa-key Change Key

  • Use the fa-download icons in each section to download and securely store copies of the Current Device Key and, if present, the Legacy Device Key

  • Click fa-arrows-rotate Generate New Key or manually enter a New Device Key

  • Read the Warning section

  • Check the confirmation box

  • Click fa-save Update Key

  • Click OK on the confirmation dialog

For an explanation of each field on this page, refer to the next section, Change Device Key Page.

Change Device Key Page

The Change Device Key page allows administrators to change the AutoConfigBackup device key. It contains numerous warnings and explanations which guide users through the process.

Danger

Changing the Device Key disconnects AutoConfigBackup from all previous backups stored using the old key.

Administrators can still access the old backups so long as they know the old device key and encryption password. Securely store a backup copy of the current device key(s) before changing the device key.

Current Device Key

The Current Device Key section displays the current randomized device key stored in the device configuration.

The GUI will not display this section if AutoConfigBackup is enabled and using a legacy device key.

The section also includes a count of backup entries on the AutoConfigBackup service associated with the current device key.

Tip

Use the fa-download icon in this section to download a copy of the current device key, then store it in a safe and secure location.

If there are zero hosted backups for the current device key, then it may not be necessary to store this key as there isn’t anything left to access using this device key.

Legacy Device Key

The Legacy Device Key section displays the legacy style device key. This older key style is based on the SHA256 hash of the SSH public key on the device.

The GUI will not display this section if the device does not contain any SSH host keys. For example, on a fresh installation where SSH has never been enabled.

The section also includes a count of backup entries on the AutoConfigBackup service associated with the legacy device key.

Tip

Use the fa-download icon in this section to download a copy of the legacy device key, then store it in a safe and secure location.

If there are zero hosted backups for the legacy device key, then it may not be necessary to store this key as there isn’t anything left to access using this device key.

New Device Key

This field sets a new AutoConfigBackup device key. The key must be exactly 64 hexadecimal characters in length (0 through 9, a through f).

Use the fa-arrows-rotate Generate New Key button next to the text field to generate a new randomized key in the correct format.

It is also possible to enter an existing device key in this field to make AutoConfigBackup use a device key from a previous installation.

Warning

Treat this key as a secret!

Anyone who has this key can manipulate the backups for this key.

Warning

This checkbox serves as a confirmation that the administrator has read the warnings and acknowledges the consequence that changing the device key will disconnect AutoConfigBackup from backups stored under the old device key.

After reading and understanding the warnings and saving the old keys, check the box in this section to enable the Update Key button.

Update Key

Clicking the fa-save Update Key button will store the new device key in the configuration, replacing the current device key in the process.

Note

This button is disabled by default. Check the Warning checkbox to enable this button.

After clicking the button the GUI presents one more confirmation box using a JavaScript alert. Click OK to the confirmation dialog to complete the process.

If the New Device Key is not valid, the page will display an error without taking any action.