Hi. Can anyone tell me if the enroll_secret is presented by the client only when it initially enrolls with Fleet, or does it present it at other times like check-ins / posting data / etc?
z
zwass
11/18/2020, 10:12 PM
Only at first check in. Later the host presents its unique "node key".
🙏 1
d
Dan Achin
11/18/2020, 10:13 PM
OK, thanks much. Would first check-in include service restart?
We trying to assess how difficult it would be to rotate that enroll_secret as part of our standard security practices. If we only use it at first check-in, that makes it easier to rotate. 🙂
s
seph
11/19/2020, 3:43 AM
No, not a service restart.
It is presented when, and only when, there is no node key.
node keys are stored in the local database directory
👍 1
➕ 1
z
zwass
11/19/2020, 5:00 PM
Rotating the enroll secret is especially easy since you can have multiple valid secrets at once. But the enroll secret is rarely used anyway.