Bakery Key Password

rolandg · September 4, 2025, 8:59am

Hi,
we set up our CheckMK years ago with a weak bakery password.
For some reason I always thought that I need to re-register all agents, if we change it, but that’s not the case, right?

So, today I added a new key with a strong password. After that I expected a need for a new bake process, but that button was not orange. Should the new key already be accepted by all agents? How can they know about that new key?

Anyway, I decided to bake the agents again with the new key. Now I wait for all the agents to get their new version (actually I forgot to check if the hash changed - I hope it did).

So my important question now is: Can I safely remove the old key after some time? (agents should check for a new version every 10 minutes)
I cannot risk the need to reregister all hosts - there’s just too many of them.

TIA,
Roland.

andreas-doehler · September 4, 2025, 9:01am

Now you have to include the new key in your agent deployment rule.
And after you modified this rule the bake button should be orange.

rolandg · September 4, 2025, 9:07am

Ah, ofc. That was the missing part.
Thanks!

rolandg · September 4, 2025, 10:11am

So my plan is now to remove the old key from the deployment rule tomorrow or maybe next week to be safe. Then I will finally remove the old key completely.
Does that sound reasonable?

andreas-doehler · September 4, 2025, 11:00am

I do it also this way - activate booth keys, bake & sign agents, wait that all agents pull the new build, remove old key from agent config and remove the key from the system.