NetCloud Engine (Formerly Pertino): Device Authentication FAQ

Beverly McRae


This article describes the most frequently asked questions regarding Device Authentication


  • What is Device Authentication?

    Device Authentication (Device Auth) lets devices with the NetCloud Engine Linux client join your network without requiring a username and password.

  • How does it work?

    With Device Auth, you generate a key, similar to a license file, which a device uses to authenticate to your network.

  • What are some use cases for Device Auth?
    1. Device authenticated servers are not impacted by password changes, so you can use this authentication to prevent the loss of connectivity that occurs when traditional passwords are changed.
    2. Today, every device requires a username/password to connect to NetCloud Engine. If you do not want to invite your individual end users to the network or have them create accounts, you can install NetCloud Engine with Device Auth on each end user’s machine.
    3. With Device Auth, you can securely script and spin up servers. For example, debian shows cli commands in clear text. If you use Device Auth, you do not need to transmit or show your password.
  • How do I generate the key?

    You can navigate to the key generation page by selecting the three dot settings icon at the top right.

    User-added image

    This will take you to the network settings page. Now select the “Generate Authentication Key”.

    User-added image

    This will create a new key, revoking the old key, and prompt you to download a file called “apikey.pertino”

  • Why is it called “Device Authentication Key”?

    Device Authentication Key is a term used for a token that identifies and authenticates devices when accessing a system. What is an API key?

  • What happens to the key after the client uses it to authenticate?

    The key file that the client uses to join the network is deleted from the client machine once it is successfully joined.

  • How long is the key valid?

    The key is valid until you revoke and generate a new key. This means that you can have multiple clients use the same key to join your network.

  • What if someone shared the key with family members and I want to revoke the key?

    You can revoke the key by generating a new key (only one key is valid at a time). By revoking the key, no clients can authenticate with that key after it is revoked.

  • What if someone used the key and I no longer want them on my network?

    You can remove a device by selecting Re-Authenticate in the Device’s “I want to” dropdown.

    User-added image

    NOTE: Re-Authenticate will remove the device from all NetCloud Engine networks. It will also delete the authentication token. This means the device will be unable to join any network unless a username/password or valid API key is entered on the client side.

  • What happens to clients that have authenticate with key, which I have just revoked?

    Clients that have successfully authenticated are not affected by a revoked key and remain connected to the network. (They have exchanged the key for an authentication token and already deleted the key). Only clients that have not successfully authenticated who attempt to use the revoked key will be unable to join the network.

  • If I have multiple networks, which network does the device join by default?

    When you generate a key, the devices that use that key will join the network that is “active” or selected in the top left of the Admin Portal.

  • Can I move the device to another network?

    Yes. In the Admin Portal, you can use the “Switch Network” option to move that device to another network.

    Note: Unlike user-authenticated devices, you will not be able to change the network from within the client. There will be no networks listed in the client tray, and changes will need to occur within the admin portal.

  • Can I generate multiple keys on multiple networks?

    While you cannot have MORE than 1 key PER network, you can have a key for each network you own. For example, if you have an “Engineering Network” and a “Sales Network,” you can generate a key for each network and then provide the corresponding key to the sales or engineering teams, respectively.

Share Article: