NetworkManager loads (and generates) a secret key as "/var/lib/NetworkManager/secret_key".
The secret key is used for seeding a per-host component when generating hashed, stable data. For example, it contributes to "ipv4.dhcp-client-id=duid" "ipv6.addr-gen-mode=stable-privacy", "ethernet.cloned-mac-address=stable", etc. As such, it corresponds to the identity of the host.
Also "/etc/machine-id" is the host's identity. When cloning a virtual machine, it may be a good idea to generate a new "/etc/machine-id", at least in those cases where the VM's identity shall be different. Systemd provides various mechanisms for doing that, like accepting a new machine id via kernel command line. For the same reason, the user should also regenerate a new NetworkManager's secrey key when the host's identity shall change. However, that is less obvious, less understood and less documented.
Support and use a new variant of secret key. This secret key is combined with "/etc/machine-id" by sha256 hashing it together. That means, when the user generates a new machine-id, NetworkManager's per-host key also changes.
Since we don't want to change behavior for existing installations, we only do this when generating a new secret key file. For that, we encode a version tag inside the "/var/lib/NetworkManager/secret_key" file.