Agent encryption

Datto RMM takes a layered approach to security and part of this is Agent encryption. A unique encryption key is generated for every Datto RMM Agent installation to ensure that when an Agent is communicating with the platform, we know the traffic is coming from the device where the Agent was originally installed, and no impersonation is taking place.

IMPORTANT  The introduction of Agent encryption with the Datto RMM 9.6.0 release could potentially impact your user experience. For more information, refer to this Community post.

Agent to platform authentication

The Datto RMM Agent and Datto RMM platform have a shared secret key, and the platform has a map of device identifiers linked to these keys. Linking a key to a device identifier allows the signing of data from the Agent and the encryption or refusal of communication by the platform.

Encryption key approval

Encryption keys do not have to be approved in the following scenarios:

  • Newly generated and assigned encryption keys are auto-approved. This will include existing devices with no mapped encryption key, or new device records by newly installed Agents.
  • If a device submits an encryption key change request from an IP address that your Datto RMM account has previously approved at least four other change requests from in the last 60 days, the encryption key is auto-approved.

  • If a device submits an encryption key change request from the same IP address as the last IP address you approved the request for, the encryption key is auto-approved.

  • If a device submits an encryption key change request from the same IP address as the device's current external IP address, the encryption key is auto-approved.

In situations where the platform has a stored device identifier with a pre-existing encryption key mapping and the Agent is attempting to communicate using a mismatched or missing encryption key, a manual approval is required. This request must be approved by an Administrator in the Agent Encryption Key Changed list on the Devices requiring approval page in the New UI. Refer to Agent Encryption Key Changed.

It is recommended that all encryption key approvals are validated as an Agent should never change its key spontaneously. In the event of a mismatch, check the new device's audit records to see if they are as expected. If they are not or you are unsure, contact Datto Support.

If a device is awaiting Agent encryption key change approval or is rejected, it will not receive any monitoring or Software Management data and you will not be able to connect to it using Web Remote. Devices rejected from the Agent Encryption Key Changed list will be removed from the list and will be displayed in the list again an hour later; an Administrator can then approve or reject them. Alternatively, devices displayed in the list can be deleted from the account. Refer to Deleting a device - New UI.

Approved devices will receive monitoring and Software Management data an hour after approval. You will also be able to connect to them using Web Remote.

Important notes

  • It is necessary for devices to store the encryption key locally for the value to persist across reboots. This file is only accessible with system privileges, and it is essential for it to be present and correct for Agent to platform authentication to occur uninterrupted. If the file is removed, for example by reinstalling the operating system, a manual approval will need to occur.
  • Devices should never share the same identifier but it may happen on rare occasions. For example, if an image-based operating system deployment method is used without first removing the device identifier from the system, the identifier would be cloned. Following the first device, every device communicating with the platform using the cloned identifier would generate an approval request. In this case, the cloned identifiers should be removed and allowed to automatically re-generate.
  • If a Network Node is awaiting device approval due to an Agent encryption key change request, any associated network devices will appear offline until the Network Node is approved.