Be careful when exporting and sharing configs; using the hide-sensitive option may reveal private WG keys created through BTH. Found in latest 7.21rc2. I made config export with command:
export hide-sensitive file=fullbackuptext.rsc and contains private WG keys for BTH
hide-sensitive is the default in V7 (so :export hide-sensitive is same as :export). But that's not going to change the issue here.
Internally some config attributes are flagged as "sensitive", which affect both export and user group policy sensitive being need to operate on them.
IMO it is a bug that /ip cloud back-to-home-user private-key= is NOT flagged as "sensitive".
True, but the "shared" (2nd+ users) do need to store allow-lan=yes|no and yeah the private-key need to be someplace in config even if dynamic under /interface/wireguard.
1 Like
I created a ticket for it, SUP-207134, since IMO this is a bug.
3 Likes
[demo@MikroTik] > export [tab]
compact file show-sensitive terse verbose
In v7, opposite of hide-sensitive is show-sensitive.
verbose is what is used to show all values (even ones that have not been changed from their default values). Without verbose it will only display things that are different from the "empty" settings, i.e. if you do a /system reset-configuration no-defaults followed by an export, it will be a short export. After a /system reset-configuration and load the default config, then export will show defconf: items as well.
compact is like "wrap" long lines with \ continuations at end.
I used to think terse was opposite of verbose, but it is not. Terse forces all lines to be "self contained"
export
/system clock
set time-zone-name=America/New_York
vs export terse
/system clock set time-zone-name=America/New_York
To me "terse" seems an odd name for the feature, because a terse export will normally created a larger export, because of all the redunancy, as each line will stand on its own.
export options (7.19.6 on hEX S)
[demo@MikroTik] > /system resource print
uptime: 1w1d9h45m6s
version: 7.19.6 (stable)
build-time: 2025-09-12 09:02:42
factory-software: 6.46.4
free-memory: 196.4MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 2%
free-hdd-space: 5.1MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 1320
write-sect-total: 21518
architecture-name: mmips
board-name: hEX S
platform: MikroTik
[demo@MikroTik] > /system routerboard print
routerboard: yes
board-name: hEX S
model: RB760iGS
serial-number: ************
firmware-type: mt7621L
factory-firmware: 6.46.4
current-firmware: 7.19.6
upgrade-firmware: 7.19.6
[demo@MikroTik] > export [tab]
compact file show-sensitive terse verbose
[demo@MikroTik] > export
Terse is very convenient for copy/paste as - since each line is self standing - you don't risk executing a command in the "wrong" section.
If needed, the spreadsheet here:
can do the conversion from terse to the more readable "normal" single line format.
Support replied that it will be fixed in future versions
2 Likes
export's attribute scheme is not great for sure... but we're stuck with it since it break folks automation to change anything here. And, my favorite is export terse verbose is valid. The way I look at it is "verbose" is modifier meaning "include all default values", and "terse" meaning "one line per command" (with "compact" being the default). It's the lack of any new operator like export json|yaml|netconf|yang that's the bigger deficiency, since today export is a script generator, not a saved config.
resolved in 7.21rc5
And 7.20.7 as well.