ytti
Fortigate private-encryption-key value should be removed from config when remove_secret is set to true
The value of private-encryption-key in Fortigate config files changes frequently. Ideally, when remove_secret is set to true, Oxidized should remove this value from the downloaded configuration. This will result in Oxidized no longer identifying a configuration change every time the value of private-encryption-key is changed.
I should also add I'm using the latest and greatest docker container image.
Is this the private-encryption-key you talk about?
Aren't you missing the point of Oxidized (config backup and versioning) if you encrypt a big part of your config first?
anyway, an example / snippet surely would help to add a filter for it in Oxidized.
Yes, that's how you enable a private-encryption-key. Once it's been configured, you'll see it in the config Oxidized pulls down just before config system global:
# COMMAND: show | grep .
#config-version=FG200F-7.2.10-FW-build1706-240918:opmode=1:vdom=0:user=my_user
#conf_file_ver=<stripped>
#buildno=1706
#global_vdom=1
#private-encryption-key=<redacted>
config system global
Aren't you missing the point of Oxidized (config backup and versioning) if you encrypt a big part of your config first?
Are you suggesting to not set remove_secret to true? Oxidized is still able to manage the vast majority of my configuration. Since the Fortigate re-hashes all of its secrets, including the value of private-encryption-key, every few hours, it means that if I don't have remove_secret, it looks like my configuration is constantly changing. That means that when something breaks and I want to find out what I've changed recently, it's a lot easier to use Oxidized to find out exactly when the last actual configuration change was made if it ignores all of the secrets.
@ebarrett-Ocient could you test this patch?
Copy fortios.rb to ~/.config/oxidized/model/fortios.rb and restart oxidized.
@systeembeheerder That did the trick!
+#private-encryption-key= <configuration removed>
