Migration to Mender Client 4.0 - Device is generating a new authorization key

General Discussions
1

Hello,

We are working on updating our devices from Mender-Client from version 3.5.1 to 4.0.4 (Mender 3.7). The device is running Yocto Kirkstone with various customizations and configuration.

When updating the device, it seems Mender is generating a new authorization key that it uses to connect to the Mender server. This means we would have to re-accept the new key for all of our devices on the Mender server.

Is this behavior normal? How does Mender decide to reuse the existing key or create a new one? Where is the key stored on the device? (in case this makes a difference, we are using a read-only root filesystem and a writable partition mounted in /data).

I could find some information in the documentation about the authentication flow, but there is not a lot of information on the key generation and storage. This mentions support for key rotation, but does not explain if Mender decides to do that on its own, and when.

Thanks for your help!

2

We have found our problem.

In previous versions of Mender we had defined our key only in the HttpsClient/Key entry of the configuration file and it was used both for the HTTPS certificate and for other uses.

In Mender 4.0 we need to also set the same key in Security/AuthPrivateKey to get the same behavior as before. Otherwise a different key is generated and used. We will use this scheme to preserve the keys already in se in or existing devices.