Title
#fleet
Dan Achin

Dan Achin

11/18/2020, 10:04 PM
Hi. Can anyone tell me if the enroll_secret is presented by the client only when it initially enrolls with Fleet, or does it present it at other times like check-ins / posting data / etc?
zwass

zwass

11/18/2020, 10:12 PM
Only at first check in. Later the host presents its unique "node key".
Dan Achin

Dan Achin

11/18/2020, 10:13 PM
OK, thanks much. Would first check-in include service restart?
10:16 PM
We trying to assess how difficult it would be to rotate that enroll_secret as part of our standard security practices. If we only use it at first check-in, that makes it easier to rotate. 🙂
s

seph

11/19/2020, 3:43 AM
No, not a service restart.
3:43 AM
It is presented when, and only when, there is no node key.
3:43 AM
node keys are stored in the local database directory
zwass

zwass

11/19/2020, 5:00 PM
Rotating the enroll secret is especially easy since you can have multiple valid secrets at once. But the enroll secret is rarely used anyway.
Dan Achin

Dan Achin

11/19/2020, 8:14 PM
Awesome, thanks!