Excluding private keys from automatic firewall backups

When the configuration of a firewall is backed up, it contains by default the full identity of the firewall, i.e., its certificates and private keys.

If you want to exclude private keys from automatic backups, to protect confidentiality for example, you can modify the environment variable FWADMIN_AUTOBACKUP_EXCLUDE_PRIVATE_KEY:

  1. Connect to the SMC server via the console port or SSH connection with the "root" user.
  2. In the file /data/config/fwadmin-env.conf.local, change the value of the environment variable:: FWADMIN_AUTOBACKUP_EXCLUDE_PRIVATE_KEY=true
  3. Restart the server with the command nrestart fwadmin-server

On firewalls equipped with initialized TPM chips (Trusted Platform Module), keys are excluded from automatic backups by default. The environment variable does not need to be modified.

For more information, on protecting certificates with TPMs, refer to the section Disabling TPM (Trusted Platform Module) certificate protection during installation on the firewall.