Keywarden

Keywarden is a self-hosted web application for centralized SSH key management and deployment. It lets you generate, store, and deploy SSH keys to Linux servers from a single web interface — with full audit logging, role-based access control, and automated temporary access scheduling.

⚠️ Alpha Software — Important Notice

Keywarden is currently in alpha status.

• Do NOT expose this application directly to the public internet. Use it only in trusted, private networks.
• The software may contain bugs, incomplete features, or security issues.
• Your feedback is valuable! If you discover bugs or have suggestions, please open an Issue on GitHub. Every report helps improve the project.

---

Features

• SSH Key Management — Generate (RSA 2048/4096, Ed25519, Ed448) or import existing keys
• Encrypted Storage — Private keys encrypted at rest with AES-256-GCM
• Server & Group Management — Register servers, organize into groups
• Access Assignments — Declarative access model: assign users + keys to servers with system user, sudo, and user creation
• Temporary Access — Schedule time-limited access with automatic expiry (key removal, user disable, or user deletion)
• Three-Tier Roles — Owner, Admin, and User with distinct permissions
• User Invitations — Invite users via secure email links
• Key Enforcement — Bastillion-style enforced key management: automatically detect and remove unauthorized SSH keys from servers
• Two-Factor Authentication — TOTP-based MFA, optionally enforced for all users
• Password Policies & Account Lockout — Configurable complexity rules and brute-force protection
• Audit Log — Every action tracked with user, IP, timestamp, and details
• Update Notifications — Automatic update check with version badge in the header for admins
• Encrypted Backup/Restore — Full database export with password-based encryption
• Docker-Native — Single container with embedded SQLite, no external database required

---

Quick Start

Prerequisites

• Docker and Docker Compose

1. Clone and configure

git clone https://git.techniverse.net/scriptos/keywarden.git
cd keywarden

Create a .env file and generate two separate cryptographically secure keys:

# Generate keys (run twice, once per key):
openssl rand -base64 48

KEYWARDEN_SESSION_KEY=<first generated string>
KEYWARDEN_ENCRYPTION_KEY=<second generated string>

Important: Change both keys to unique random strings. The encryption key protects all stored SSH private keys — if lost, they cannot be recovered. See the Quick Start Guide for more options to generate secure keys.

2. Start

docker compose up -d

3. Get the initial password

docker compose logs keywarden

Look for the auto-generated admin password in the output:

════════════════════════════════════════════════════════════
  Initial owner account created
  Username: admin
  Password: <auto-generated>
  Please change this password after first login!
════════════════════════════════════════════════════════════

4. Open

Navigate to http://your-host:8080 and log in. You will be prompted to change the password.

5. Deploy the master key

After login, copy the system master key (shown in Admin Settings and in the startup logs) and add it to the authorized_keys of the root user on every server you want to manage:

echo "ssh-ed25519 AAAA... keywarden-system-master" >> /root/.ssh/authorized_keys

---

Documentation

For detailed documentation, see the docs/ folder:

• Quick Start Guide
• Installation & Deployment — Docker, reverse proxy, HTTPS
• Architecture — System design and components
• User Guide — SSH keys, settings, MFA
• Admin Guide — Servers, deployments, access assignments, cron jobs
• Roles & Permissions — Owner, Admin, User role details
• Security — Encryption, authentication, hardening
• Environment Variables — Full configuration reference
• Email Configuration — SMTP, notifications, invitations
• Backup & Restore — Encrypted database backup
• Troubleshooting — Common issues and solutions
• Contributing — Development setup and guidelines

---

License

Keywarden is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0-or-later).

© 2026 Patrick Asmus (scriptos)

---

Community

Join the Keywarden Matrix chat to discuss the project, ask questions, or share feedback:

➡️ #keywarden:techniverse.net

---

Repository & Mirror

	URL
Primary (Gitea)	git.techniverse.net/scriptos/keywarden
Mirror (GitHub)	github.com/pscriptos/keywarden
Container Registry	git.techniverse.net/scriptos/-/packages/container/keywarden

The primary repository is hosted on Gitea. The GitHub repository is a read-only mirror.

Bug reports & feature requests: Please open an Issue on GitHub — registration on the Gitea instance is currently closed.