Fortigate private-encryption-key value should be removed from config when remove_secret is set to true

[ebarrett-Ocient]

The value of private-encryption-key in Fortigate config files changes frequently. Ideally, when remove_secret is set to true, Oxidized should remove this value from the downloaded configuration. This will result in Oxidized no longer identifying a configuration change every time the value of private-encryption-key is changed.

[ebarrett-Ocient]

I should also add I'm using the latest and greatest docker container image.

[systeembeheerder]

Is this the private-encryption-key you talk about?

Aren't you missing the point of Oxidized (config backup and versioning) if you encrypt a big part of your config first?

anyway, an example / snippet surely would help to add a filter for it in Oxidized.

[ebarrett-Ocient]

Yes, that's how you enable a private-encryption-key. Once it's been configured, you'll see it in the config Oxidized pulls down just before config system global:

# COMMAND: show | grep .
#config-version=FG200F-7.2.10-FW-build1706-240918:opmode=1:vdom=0:user=my_user
#conf_file_ver=<stripped>
#buildno=1706
#global_vdom=1
#private-encryption-key=<redacted>
config system global

Aren't you missing the point of Oxidized (config backup and versioning) if you encrypt a big part of your config first?

Are you suggesting to not set remove_secret to true? Oxidized is still able to manage the vast majority of my configuration. Since the Fortigate re-hashes all of its secrets, including the value of private-encryption-key, every few hours, it means that if I don't have remove_secret, it looks like my configuration is constantly changing. That means that when something breaks and I want to find out what I've changed recently, it's a lot easier to use Oxidized to find out exactly when the last actual configuration change was made if it ignores all of the secrets.