Script keys
A script key lets a deployment script assign an Arq Pro computer to a group without anyone logging in to the web console. It’s built for fleet onboarding — registering and grouping many computers from an MDM, provisioning script, or CI pipeline instead of editing each computer’s group by hand.
Each script key belongs to a single group. A script that holds the key can add computers to that group and nothing else.
When to use it
Section titled “When to use it”- You’re onboarding more than a handful of computers and don’t want to set each one’s group in the console.
- You manage clients’ machines (MSP) and group them as part of your deployment automation.
- You’re spinning up many endpoints programmatically.
If you only have a couple of computers, the console’s Edit Group screen is simpler — script keys are about automation at scale.
Create a script key
Section titled “Create a script key”- In the Arq Pro web console, open the group you want computers to join and click Edit Group.
- In the Script keys section, click Create Script Key…, give it a description (e.g. the name of the deployment tool that will use it), and confirm.
- Your browser downloads
arqpro-script-key.json. This file contains the key’s private key and is shown only once — it cannot be downloaded again. Store it in your secret manager / deployment tooling.
The file looks like this:
{ "scriptKeyId": "97016DB3-F2BF-47DA-8F14-617FE422F4E3", "privateKeyPEM": "-----BEGIN RSA PRIVATE KEY-----\n…\n-----END RSA PRIVATE KEY-----\n", "groupUUID": "20F5707F-A97A-407E-A61F-7318E36E9128"}Assign a computer to the group
Section titled “Assign a computer to the group”Run this on each computer after it has activated its Arq Pro license, with Arq installed and running:
arqc setGroup --credentials=/path/to/arqpro-script-key.jsonarqc hands the request to the Arq agent running on that computer. The agent
knows its own computer identity, contacts Arq Pro, and joins the group named by
the script key. The group’s backup plans and storage locations arrive at the
computer’s next sync.
arqc setGroup exits 0 on success and prints a one-line error otherwise.
Example: assign during deployment
Section titled “Example: assign during deployment”#!/bin/sh# Run after the Pro license is activated on the machine.set -e
CREDENTIALS=/usr/local/etc/arqpro-script-key.json
arqc setGroup --credentials="$CREDENTIALS"echo "Joined Arq Pro group."Point your MDM or provisioning tool at a script like this and deploy the same
arqpro-script-key.json to every machine that should land in the group.
Security model
Section titled “Security model”Script keys are designed so that no single system holds enough to read your backup data or forge a valid “add computer to group” operation.
- A script key is limited. It can only add computers to its one group. It can’t read backup data, change other groups, or sign in to your account.
- A leaked key is contained. If a key’s
arqpro-script-key.jsonleaks, the worst an attacker can do is add computers to that one group. They cannot read any backups, because the key can’t decrypt your data — only assign membership. - The server can’t read your data or forge assignments. Arq Pro stores only
the key’s public half. The group secret each script key carries is encrypted
to that public half, so it can only be unwrapped by the private key in your
arqpro-script-key.json— never by the server. A compromise of Arq Pro’s servers alone reveals neither your group’s data nor the ability to produce a valid assignment. - Per-key revocation. Each key is independent. Revoking one doesn’t affect any other key or require re-keying the group.
Revoke a key / recover a lost key
Section titled “Revoke a key / recover a lost key”To revoke a key, open the group’s Edit Group → Script keys section and click Revoke on that key. Revocation takes effect immediately: any script still using the key stops being able to assign computers. Computers already in the group are not affected — revoking a key never removes computers or changes their backups.
If a key is lost or leaked, the recovery is the same: revoke it, then create a
new one and update your deployment tooling with the new arqpro-script-key.json.
There’s no way to re-download a key’s private half, so a lost key is simply
replaced rather than recovered.