Skip to main content

Regenerate Secret Keys

When you install Firezone, secrets are generated for encrypting database fields, securing WireGuard tunnels, securing cookie sessions, and more.

If you're looking to regenerate one or more of these secrets, it's possible to do so using the same bootstrap scripts that were used when installing Firezone.

Regenerate Secrets

danger

Replacing the DATABASE_ENCRYPTION_KEY will render all encrypted data in the database useless. This will break your Firezone install unless you are starting with an empty database. You have been warned.

caution

Replacing GUARDIAN_SECRET_KEY, SECRET_KEY_BASE, LIVE_VIEW_SIGNING_SALT, COOKIE_SIGNING_SALT, or COOKIE_ENCRYPTION_SALT will render all browser sessions and JWTs useless.

Use the procedure below to regenerate secrets:

Navigate to the Firezone installation directory, then:

mv .env .env.bak
docker run firezone/firezone bin/gen-env > .env

Regenerate WireGuard Private Key

danger

Replacing the WireGuard private key will render all existing device configs useless. Only do so if you're prepared to also regenerate device configs after regenerating the WireGuard private key.

To regenerate WireGuard private key, simply move or rename the private key file. Firezone will generate a new one on next start.

docker-compose stop firezone
sudo mv $HOME/.firezone/firezone/private_key $HOME/.firezone/firezone/private_key.bak
docker-compose start firezone