In a synchronisation group, does each device need to have the same master-key?
It seems to me that this shouldn't be the case, as each device is shipped with a different master key.
However, if I set a new master key, won't different devices then store different encrypted keys in the config?
There is an existing devcentral article Working with MasterKeys about this, and from that article:
"...the master key unit is:
Thankyou. It would be nice if the mechanism was detail somewhere.
If the master key is stored in hardware, I would think you wouldn't be able to restore an old ucs archive without having passphrase issues.
Well, there is this knowledge article K9420: Installing UCS files containing encrypted passwords or passphrases:
"After the BIG-IP system becomes a member of the device group, you can run ConfigSync from a peer that has the current configuration. ConfigSync synchronizes the original master key and the configuration to the newly installed BIG-IP system."
, but I thought the devcentral ariticle explained it more clearly.
In HA master key need to be identical across trust domain.
Another interesting article: https://support.f5.com/csp/article/K73034260