Currently, if you have APM installed, the UCS Archive process, also backs up the epsec images.
I have written a bash script, which modifies the UCS Archive process, so that it does not include these in the UCS Archive process, and it also modifies the bigip.conf that is archived, so that it does not contain references to these images.
By default, APM has it's own epsec image in /var/sam/images so when your UCS Archive is loaded to a new system, or a rebuilt system, it will just use the default epsec image for that system.
This means that if you have upload a new epsec image to fix an issue, you will need to ensure that this is done on any system you restore the UCS Archive too.
How to use this snippet:
Just save the bash script to a file like /shared/bin/modify_ucs.sh
Then run the script:-
# sh /shared/bin/modify_ucs.sh
The script modifies /usr/libdata/configsync/cs.dat and creates two files config_save_pre and config_save_post in the same folder. It also creates a backup of cs.dat as cs.YYYY_MM_DD_HH_MM.bak
The /usr filesystem is mounted RO, so I remount it RW to do this.
This modification does not survive a upgrade, so you will need to run the script again after any upgrade
If you are running a cron job to create a daily/weekly backup, you can just call this script before you run the tmsh save sys ucs command, as it checks to see if the modification has already been done.