Skip to content

Script keys

A script key lets a deployment script assign an Arq Pro computer to a group without anyone logging in to the web console. It’s built for fleet onboarding — registering and grouping many computers from an MDM, provisioning script, or CI pipeline instead of editing each computer’s group by hand.

Each script key belongs to a single group. A script that holds the key can add computers to that group and nothing else.

  • You’re onboarding more than a handful of computers and don’t want to set each one’s group in the console.
  • You manage clients’ machines (MSP) and group them as part of your deployment automation.
  • You’re spinning up many endpoints programmatically.

If you only have a couple of computers, the console’s Edit Group screen is simpler — script keys are about automation at scale.

  1. In the Arq Pro web console, open the group you want computers to join and click Edit Group.
  2. In the Script keys section, click Create Script Key…, give it a description (e.g. the name of the deployment tool that will use it), and confirm.
  3. Your browser downloads arqpro-script-key.json. This file contains the key’s private key and is shown only once — it cannot be downloaded again. Store it in your secret manager / deployment tooling.

The file looks like this:

{
"scriptKeyId": "97016DB3-F2BF-47DA-8F14-617FE422F4E3",
"privateKeyPEM": "-----BEGIN RSA PRIVATE KEY-----\n\n-----END RSA PRIVATE KEY-----\n",
"groupUUID": "20F5707F-A97A-407E-A61F-7318E36E9128"
}

Run this on each computer after it has activated its Arq Pro license, with Arq installed and running:

Terminal window
arqc setGroup --credentials=/path/to/arqpro-script-key.json

arqc hands the request to the Arq agent running on that computer. The agent knows its own computer identity, contacts Arq Pro, and joins the group named by the script key. The group’s backup plans and storage locations arrive at the computer’s next sync.

arqc setGroup exits 0 on success and prints a one-line error otherwise.

#!/bin/sh
# Run after the Pro license is activated on the machine.
set -e
CREDENTIALS=/usr/local/etc/arqpro-script-key.json
arqc setGroup --credentials="$CREDENTIALS"
echo "Joined Arq Pro group."

Point your MDM or provisioning tool at a script like this and deploy the same arqpro-script-key.json to every machine that should land in the group.

Script keys are designed so that no single system holds enough to read your backup data or forge a valid “add computer to group” operation.

  • A script key is limited. It can only add computers to its one group. It can’t read backup data, change other groups, or sign in to your account.
  • A leaked key is contained. If a key’s arqpro-script-key.json leaks, the worst an attacker can do is add computers to that one group. They cannot read any backups, because the key can’t decrypt your data — only assign membership.
  • The server can’t read your data or forge assignments. Arq Pro stores only the key’s public half. The group secret each script key carries is encrypted to that public half, so it can only be unwrapped by the private key in your arqpro-script-key.json — never by the server. A compromise of Arq Pro’s servers alone reveals neither your group’s data nor the ability to produce a valid assignment.
  • Per-key revocation. Each key is independent. Revoking one doesn’t affect any other key or require re-keying the group.

To revoke a key, open the group’s Edit Group → Script keys section and click Revoke on that key. Revocation takes effect immediately: any script still using the key stops being able to assign computers. Computers already in the group are not affected — revoking a key never removes computers or changes their backups.

If a key is lost or leaked, the recovery is the same: revoke it, then create a new one and update your deployment tooling with the new arqpro-script-key.json. There’s no way to re-download a key’s private half, so a lost key is simply replaced rather than recovered.