diff --git a/tfclient/src/nebulaworker_inert.rs b/tfclient/src/nebulaworker_inert.rs
index 9a92361..4a54f8c 100644
--- a/tfclient/src/nebulaworker_inert.rs
+++ b/tfclient/src/nebulaworker_inert.rs
@@ -2,10 +2,15 @@
 // This is an inert version of the nebula worker that does nothing, used when linking to nebula is diabled.
 // This is useful if you wish to run your own nebula binary, for example on platforms where CGo does not work.
 
-use crate::config::TFClientConfig;
+use crate::config::{load_cdata, NebulaConfig, TFClientConfig};
 use crate::daemon::ThreadMessageSender;
+use crate::dirs::{nebula_yml};
+use log::{debug, error, info};
+use std::error::Error;
+use std::fs;
 use std::sync::mpsc::Receiver;
-use log::error;
+use nebula_ffi::NebulaInstance;
+use crate::util::shutdown;
 
 pub enum NebulaWorkerMessage {
     Shutdown,
@@ -13,6 +18,32 @@ pub enum NebulaWorkerMessage {
     WakeUp,
 }
 
+fn insert_private_key(instance: &str) -> Result<(), Box<dyn Error>> {
+    if !nebula_yml(instance).exists() {
+        return Ok(()); // cant insert private key into a file that does not exist - BUT. we can gracefully handle nebula crashing - we cannot gracefully handle this fn failing
+    }
+    let cdata = load_cdata(instance)?;
+    let key = cdata.dh_privkey.ok_or("Missing private key")?;
+
+    let config_str = fs::read_to_string(
+        nebula_yml(instance),
+    )?;
+    let mut config: NebulaConfig = serde_yaml::from_str(&config_str)?;
+
+    config.pki.key = Some(String::from_utf8(key)?);
+
+    debug!("inserted private key into config: {:?}", config);
+
+    let config_str = serde_yaml::to_string(&config)?;
+    fs::write(
+        nebula_yml(instance),
+        config_str,
+    )?;
+
+    Ok(())
+}
+
+
 pub fn nebulaworker_main(_config: TFClientConfig, _instance: String, _transmitter: ThreadMessageSender, rx: Receiver<NebulaWorkerMessage>) {
     loop {
         match rx.recv() {
@@ -22,8 +53,22 @@ pub fn nebulaworker_main(_config: TFClientConfig, _instance: String, _transmitte
                 },
                 NebulaWorkerMessage::Shutdown => {
                     break;
+                },
+                NebulaWorkerMessage::ConfigUpdated => {
+                    info!("our configuration has been updated - reloading");
+
+                    debug!("fixing config...");
+                    match insert_private_key(&instance) {
+                        Ok(_) => {
+                            debug!("config fixed (private-key embedded)");
+                        }
+                        Err(e) => {
+                            error!("unable to fix config: {}", e);
+                            error!("nebula thread exiting with error");
+                            return;
+                        }
+                    }
                 }
-                _ => ()
             },
             Err(e) => {
                 error!("{}", e);