Keys in Secryn represent immutable cryptographic assets used for signing, encryption, authentication, and secure system access. Keys are created once and cannot be edited after creation. This immutability ensures cryptographic integrity and prevents accidental or unauthorized changes.

Every key belongs to a vault, and access is enforced through project membership, vault access rules, and user roles.

What Keys Are Used For

Keys are commonly used for:

• application-level encryption or signing
• service-to-service authentication
• SSH access
• infrastructure and automation workflows
• secure distribution of cryptographic material

Secryn stores and distributes keys safely—it does not mutate or regenerate keys after creation.

Supported Key Types

• RSA
• Elliptic Curve (EC)
• Ed25519 (EdDSA)

SSH-compatible formats are supported via output format selection rather than separate key types.

Creating Keys

You can either generate a new key in Secryn or upload an existing key (PEM/PKCS). When generating a key, you choose:

• key type and size
• output format
• activation and expiration times
• optional tags and visibility settings

Once saved, the key configuration is locked and cannot be modified.

Key Immutability

Keys cannot be edited or versioned. If a key needs to change, rotate, or be replaced, create a new key and disable or expire the old one. The original data remains unchanged for audit consistency, enforcing explicit rotation workflows.

Output Formats

• Standard (PEM) for general cryptographic use
• SSH (OpenSSH) for SSH-compatible workflows
• Both when working across mixed environments

Format selection controls how the key material is generated and downloaded.

Activation, Expiration, and State

Each key supports lifecycle controls:

• activation time – when the key becomes usable
• expiration time – when the key should no longer be used
• enabled/disabled toggle – temporarily disable usage without deleting the key

Disabling a key preserves history and does not remove it from the vault.

Visibility and Public Access

Keys can optionally be marked as publicly accessible:

• accessible via direct URL
• vault authentication not required
• intended for controlled external consumption

Use public visibility cautiously and only when external systems explicitly require it.

Tags and Organization

Attach tags to help identify services, environments, or compliance classifications. Tags improve discoverability but do not affect access control.

Permissions and Access Control

Key access depends on:

1. project membership
2. vault access (including restricted vault rules)
3. user role

Depending on role, users may create keys, download them, disable or expire them, or view metadata only.

Best Practices

• treat keys as immutable and disposable
• rotate keys by creating new ones, never editing existing keys
• apply expiration dates whenever possible
• disable keys instead of deleting them abruptly
• store sensitive keys in restricted vaults
• avoid public visibility unless absolutely required

Keys are intentionally rigid in Secryn. This immutability and explicit lifecycle model reduces risk, improves auditability, and encourages safe cryptographic practices across teams and infrastructure.