Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Shall all master-keys be unique?

In a synchronisation group, does each device need to have the same master-key? It seems to me that this shouldn't be the case, as each device is shipped with a different master key. However, if I set a new master key, won't different devices then store different encrypted keys in the config?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There is an existing devcentral article Working with MasterKeys about this, and from that article:

"...the master key unit is:

  • Different on each standalone device but shared within a cluster.
  • Different on each vCMP guest and is dissociated from vCMP host."

.

0
Comments on this Answer
Comment made 21-Feb-2018 by uni 1155

Thankyou. It would be nice if the mechanism was detail somewhere.

If the master key is stored in hardware, I would think you wouldn't be able to restore an old ucs archive without having passphrase issues.

0
Comment made 21-Feb-2018 by Jie 2732

Well, there is this knowledge article K9420: Installing UCS files containing encrypted passwords or passphrases:

"After the BIG-IP system becomes a member of the device group, you can run ConfigSync from a peer that has the current configuration. ConfigSync synchronizes the original master key and the configuration to the newly installed BIG-IP system."

, but I thought the devcentral ariticle explained it more clearly.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In HA master key need to be identical across trust domain. Another interesting article: https://support.f5.com/csp/article/K73034260

0