Managing Keys

Keys in Secryn represent cryptographic material used for encryption, signing, authentication, and secure integrations. Keys belong to a vault and are governed by project-level access and optional restricted vault rules.

Unlike secrets, keys are immutable and non-versioned. Once created, a key cannot be edited.

Supported Key Types

Secryn currently supports:

• RSA
• Elliptic Curve (EC)
• Ed25519

Each key is generated or uploaded based on its algorithm and configuration.

Creating a Key

To create a key:

• Navigate to a Project
• Open a Vault
• Click New Key
• Choose:
  • Key type (RSA, EC, Ed25519)
  • Key size or curve (if applicable)
  • Name
  • Optional expiration date
  • Optional tags
• Save

Once created:

• The key becomes active immediately unless scheduled.
• An audit log entry is recorded.
• The key cannot be modified afterward.

Key Immutability

Keys in Secryn are immutable.

This means:

• No in-place edits
• No version history
• No value updates
• No rotation within the same key record

If a key must be changed:

• Create a new key
• Update dependent systems
• Disable the old key if necessary

This design prevents silent mutation of cryptographic material.

Public Visibility

Keys may be marked as public.

In Secryn, "public" refers only to visibility and access behavior.

When enabled:

• A public download URL is generated
• Vault authentication is not required
• Anyone with the link can retrieve the key

Important:

• Public does not mean public/private key pair separation
• Secryn does not distinguish between public and private key storage
• Public URLs bypass vault-level access control

Public visibility should be used cautiously.

Enabling and Disabling Keys

Keys can be enabled or disabled.

• Enabled -> retrievable via API or public URL (if enabled)
• Disabled -> not accessible

Disabling does not delete the key.

Expiration

Keys may have an expiration date.

Expiration:

• Does not automatically delete the key
• Can trigger notifications (if configured)
• Is recorded in logs

Administrators are responsible for rotating expired keys.

Tags

Keys can be tagged for organization.

Tags:

• Do not affect access control
• Improve filtering and management
• Help separate environments or services

Access Control

Access to keys is determined by:

• Project membership
• User role
• Vault rules (including Restricted Vaults)
• Public visibility setting (if enabled)

Admins and Project Managers typically manage keys. Contributors may create keys if permitted by vault rules.

Accessing Keys via API

Keys can be accessed using:

• Vault access keys
• Authenticated API requests
• MCP clients
• Public URL (if visibility is enabled)

All access is logged in request logs.

Security Model

Keys in Secryn follow these principles:

• Immutable once created
• No version history
• No silent mutation
• Explicit replacement for rotation
• Full audit logging
• Controlled public exposure

Secryn prioritizes cryptographic integrity and traceability.

Best Practices

• Use restricted vaults for sensitive keys
• Rotate keys by creating new records
• Disable unused keys
• Avoid enabling public visibility unless necessary
• Monitor key usage through logs