scriptos/keywarden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
master
keywarden/docs/README.md

3.5 KiB
Raw Permalink Blame History

Keywarden Documentation

Welcome to the official documentation for Keywarden — a self-hosted, centralized SSH key management and deployment platform.

Table of Contents

  1. Quick Start Guide — Get Keywarden running in minutes
  2. Installation & Deployment — Docker setup, reverse proxy, production deployment
  3. Architecture Overview — System design, components, technology stack
  4. User Guide — Day-to-day usage for all users
  5. Administration Guide — Server management, deployments, access assignments, cron jobs
  6. Roles & Permissions — Owner, Admin, and User role details
  7. Security — Authentication, MFA, encryption, CSRF, hardening
  8. Environment Variables — Complete configuration reference
  9. Email Configuration — SMTP setup, login notifications, invitations
  10. API Reference — Health check endpoint and internal APIs
  11. Backup & Restore — Encrypted database backup and restore
  12. Troubleshooting — Common issues and solutions
  13. Contributing — Development setup, project structure, guidelines

What is Keywarden?

Keywarden provides a clean web UI to generate, import, and securely store SSH keys (RSA, Ed25519, and Ed448) in one central place. Managed keys can then be deployed to registered Linux servers — individually or via server groups — with a single click. A complete audit log tracks every action in the system.

Key Features

  • SSH Key Management — Generate (RSA 2048/4096, Ed25519, Ed448) or import existing key pairs
  • Encrypted Storage — All private keys stored with AES-256-GCM encryption at rest
  • System Master Key — Auto-generated Ed25519 key used for all server authentication
  • Host & Group Management — Register servers, organize them into groups, deploy keys to one or many
  • Access Assignments — Map users + keys to target hosts/groups with specific system users, sudo rights, and user creation
  • Temporary Access (Cron Jobs) — Schedule time-limited access with automatic key removal, user disabling, or user deletion on expiry
  • Three-Tier Role System — Owner, Admin, and User roles with clear permission boundaries
  • User Invitations — Invite new users via secure email links with self-service password setup
  • Key Enforcement — Bastillion-style enforced key management: detect and remove unauthorized SSH keys automatically
  • TOTP Two-Factor Authentication — Optional or enforced MFA for all users
  • Password Policies — Configurable complexity requirements with account lockout
  • Email Notifications — Login alerts and invitation emails via SMTP
  • Comprehensive Audit Log — Every action logged with user, timestamp, IP address, and details
  • Encrypted Backup/Restore — Full database export with AES-256 password encryption
  • Docker-Native — Single-container deployment with SQLite, no external database needed
  • Security Hardened — CSRF protection, CSP headers, rate limiting, request size limits

Community

Have questions, ideas, or feedback? Join the Keywarden Matrix chat room:

➡️ #keywarden:techniverse.net

License

Keywarden is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0-or-later).

© 2026 Patrick Asmus (scriptos)

Reference in New Issue View Git Blame Copy Permalink