Regenerate Secret Keys
When you install Firezone, secrets are generated for encrypting database fields, securing WireGuard tunnels, securing cookie sessions, and more.
If you're looking to regenerate one or more of these secrets, it's possible to do so using the same bootstrap scripts that were used when installing Firezone.
Regenerate secrets
Replacing the DATABASE_ENCRYPTION_KEY
will render all encrypted data in the
database useless. This will break your Firezone install unless you are
starting with an empty database. You have been warned.
Replacing GUARDIAN_SECRET_KEY
, SECRET_KEY_BASE
, LIVE_VIEW_SIGNING_SALT
,
COOKIE_SIGNING_SALT
, and COOKIE_ENCRYPTION_SALT
will reset all browser
sessions and REST API tokens.
Use the procedure below to regenerate secrets:
Navigate to the Firezone installation directory, then:
mv .env .env.bak
docker run firezone/firezone bin/gen-env > .env
Now, move desired env vars from .env.bak
back to .env
, keeping the new
secrets intact.
mv /etc/firezone/secrets.json /etc/firezone/secrets.bak.json
sudo firezone-ctl reconfigure
Regenerate WireGuard private key
Replacing the WireGuard private key will render all existing device configs invalid. Only do so if you're prepared to also regenerate device configs after regenerating the WireGuard private key.
To regenerate WireGuard private key, simply move or rename the private key file. Firezone will generate a new one on next start.
cd $HOME/.firezone
docker-compose stop firezone
sudo mv firezone/private_key firezone/private_key.bak
docker-compose start firezone
sudo firezone-ctl stop phoenix
sudo mv /var/opt/firezone/cache/wg_private_key /var/opt/firezone/cache/wg_private_key.bak
sudo firezone-ctl start phoenix