Channels
  • Dan Achin

    Dan Achin

    1 year ago
    Hi. Can anyone tell me if the enroll_secret is presented by the client only when it initially enrolls with Fleet, or does it present it at other times like check-ins / posting data / etc?
  • zwass

    zwass

    1 year ago
    Only at first check in. Later the host presents its unique "node key".
  • Dan Achin

    Dan Achin

    1 year ago
    OK, thanks much. Would first check-in include service restart?
    We trying to assess how difficult it would be to rotate that enroll_secret as part of our standard security practices. If we only use it at first check-in, that makes it easier to rotate. 🙂
  • s

    seph

    1 year ago
    No, not a service restart.
    It is presented when, and only when, there is no node key.
    node keys are stored in the local database directory
  • zwass

    zwass

    1 year ago
    Rotating the enroll secret is especially easy since you can have multiple valid secrets at once. But the enroll secret is rarely used anyway.