% Private key is not valid: configuration password key file is failing archive restore.
search cancel

% Private key is not valid: configuration password key file is failing archive restore.


Article ID: 277879


Updated On:


ISG Proxy ProxySG Software - SGOS


Communication between devices. SSL uses a public key to encrypt data and private key to decrypt data. These keys (stored in “keyrings”) are unique to the device. This ensures that date encrypted with a device’s public key can only be decrypted by the corresponding private key.

On ProxySG appliances, the configuration-passwords-key SSL keyring is used to encrypt and decrypt the following passwords on the appliance:

  • Administrator console passwords (not needed for shared configurations)
  • Privileged-mode (enable) passwords (not needed for shared configurations)
  • The front-panel PIN (recommended for limiting physical access to the system)
  • Failover group secret
  • Access log FTP client passwords (primary, alternate)
  • Archive configuration FTP password
  • RADIUS primary and alternate secret
  • LDAP search password
  • SNMP read, write, and trap community strings
  • RADIUS and TACACS+ secrets for splash pages


Because every appliance has a different configuration-passwords-key, you will receive a decryption error if you try to restore an archive to another device.

To ensure that the archive can be transferred to another appliance, you must do one of the following:

1. Restore the original configuration-passwords-key keyring

  • While it is possible to reset each of the passwords using the Management Console, it is easier to save the original keyring so that you can import it to the new appliance (before restoring the configuration). Restoring the keyring allows all previously configured passwords to remain valid after archive restoration.

2. Change the encrypted passwords to clear text so that they can be regenerated.

Note: If both methods be executed correctly and the restore still fails, the only option will be to use the unique configuration-passwords-key on the new SG-VA.