Excluding private keys from automatic firewall backups

When the configuration of a firewall is backed up, it contains by default the full identity of the firewall, i.e., its certificates and private keys.

If you want to exclude private keys from automatic backups, to protect confidentiality for example, you can modify the environment variable SMC_AUTOBACKUP_EXCLUDE_PRIVATE_KEY_ENABLED:

  1. Log in to the SMC server via the console of your hypervisor or in SSH.
  2. In the file /data/config/fwadmin-env.conf.local, change the value of the environment variable: SMC_AUTOBACKUP_EXCLUDE_PRIVATE_KEY_ENABLED=true
  3. Restart the server with the command nrestart fwadmin-server

On firewalls equipped with initialized TPMs (Trusted Platform Module), keys are excluded from automatic backups by default. The environment variable does not need to be modified.

For more information, on protecting certificates with TPMs, refer to the section Disabling TPM (Trusted Platform Module) certificate protection during installation on the firewall.