# Password-protected keys Starting with AxoSyslog version 3.14, you can use password-protected private keys in the `network()` and `syslog()` source and destination drivers. ## Restrictions and limitations Note _Hazard of data loss!_ If you use password-protected keys, you must provide the passphrase of the password-protected keys every time AxoSyslog is restarted (AxoSyslog keeps the passphrases over reloads). The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the AxoSyslog configuration will be unaffected. This means that if you use a password-protected key in a destination, and you use this destination in a log path that has multiple destinations, neither destinations will receive log messages until you provide the password. In this cases, always [use disk-based buffering to avoid data loss](../../docs/axosyslog-core/chapter-routing-filters/concepts-diskbuffer/index.md). * The path and the filename of the private key cannot contain whitespaces. * Depending on your platform, the number of passwords AxoSyslog can use at the same time might be limited (for example, on Ubuntu 16.04 you can store 16 passwords if you are running AxoSyslog as a non-root user). If you use lots of password-protected private keys in your AxoSyslog configuration, increase this limit using the following command: `sudo ulimit -l unlimited` ## Providing the passwords The `syslog-ng-ctl credentials status` command allows you to query the status of the private keys that AxoSyslog uses in the `network()` and `syslog()` drivers. The command returns the list of private keys used, and their status. For example: ``` syslog-ng-ctl credentials status Secret store status: /home/user/ssl_test/client-1/client-encrypted.key SUCCESS ``` If the status of a key is PENDING, you must provide the passphrase for the key, otherwise AxoSyslog cannot use it. The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the AxoSyslog configuration will be unaffected. You must provide the passphrase of the password-protected keys every time AxoSyslog is restarted. The following log message also notifies you of PENDING passphrases: ``` Waiting for password; keyfile='private.key' ``` You can add the passphrase to a password-protected private key file using the following command. AxoSyslog will display a prompt for you to enter the passphrase. We recommend that you use this method. ``` syslog-ng-ctl credentials add --id= ``` Alternatively, you can include the passphrase in the `--secret` parameter: ``` syslog-ng-ctl credentials add --id= --secret= ``` Or you can pipe the passphrase to the `syslog-ng-ctl` command, for example: ``` echo "" | syslog-ng-ctl credentials add --id= ``` For details on the `syslog-ng-ctl credentials` command, see [The syslog-ng-ctl manual page](../../docs/axosyslog-core/app-man-syslog-ng/syslog-ng-ctl.1/index.md). Last modified July 18, 2025: [Unrelated formatting fix (904e4805)]()