Skip navigation
Duo Blog
Admin Login
Documentation

Duo Secret Rotation Tool for Windows

Last Updated: January 30th, 2025

Contents

Overview

The Duo Secret Rotation Tool is used to rotate a Duo application's client secret (also known as a secret key) within a Windows Registry. When provided a client secret or integration secret value copied from the Duo Admin Panel or an Admin API response, the tool updates the Windows registry information for your installed Duo application with the encrypted new secret.

WARNING: When you reset the client secret or secret key for a Duo application, users will not be able to log in with Duo until the secret rotation process is complete for the installed application and the service restarted.

Supported Duo Applications

The Duo Secret Rotation tool works with the following Duo applications:

Requirements

  • You must be a Duo administrator with the Owner, Administrator, or Application Manager role to reset an application's secret in the Duo Admin Panel.
  • You must have local administrator access on the Windows system to launch an elevated Command Prompt.
  • The Windows system where the Duo application is installed must be able to contact Duo's cloud service on HTTPS port 443 to verify the new secret value.

Rotate a Secret

To use the Duo Secret Key Rotation Tool:

  1. Launch an elevated command prompt (right-click "Command Prompt" and select the "Run as administrator" option).

  2. Reset the secret key for your Duo application from the Duo Admin Panel or with the Admin API Integrations endpoint. Note that you will need to provide the new secret value in the next step.

    Reminder: When you reset the client secret or secret key for a Duo application, users will not be able to log in with Duo until you complete the rest of the secret rotation process!

  3. Run the Duo Secret Key Rotation Tool executable, providing your application's new client secret or secret key value. The path to the tool will be different for each Duo application.

    • AD FS: C:\Program Files\Duo Security\DuoAdfs\DuoSecretKeyRotation.exe

    You can either provide the executable with the new client secret or secret key as an argument or invoke the executable with no arguments. If more than one argument is provided, the program will provide an error message and the proper use case. If invoked with no arguments the program will ask you for the new secret to use.

    This example shows running the executable with the client secret or secret key provided as an argument:

    C:\>"c:\Program Files\Duo Security\DuoAdfs\DuoSecretKeyRotation.exe" 5G3y7YoxJwvCF4FAw2s61fePUIgBpXHqn0HDTdvF
 DuoSecretKeyRotationManager started.
 Secret key provided via arguments.
 Secret key is valid
 Signatures match. Generating entropy string.
 Secret saved successfully.

    This example shows running the executable with no arguments:

    C:\>"c:\Program Files\Duo Security\DuoAdfs\DuoSecretKeyRotation.exe"
 DuoSecretKeyRotationManager started.
 Enter your application's secret key (skey): ****************************************
 Secret key is valid
 Signatures match. Generating entropy string.
 Secret saved successfully.

    If you provide an invalid secret value, do not press Y to continue. Type N to quit without making changes.

    C:\>"c:\Program Files\Duo Security\DuoAdfs\DuoSecretKeyRotation.exe" invalidsecret
 DuoSecretKeyRotationManager started.
 Secret key provided via arguments.
 WARNING: Secret key is invalid. Press 'Y' to continue.
 Chose not to continue. Exiting program.

  4. After the Duo Secret Key Rotation Tool completes successfully, restart the service for the application just updated for the new secret to take effect.

    • AD FS: Cycle the AD FS service by entering the command Restart-Service adfssrv at an elevated PowerShell prompt or net stop adfssrv & net start adfssrv at the elevated Command Prompt.