scriptos/keywarden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
268955732ad5f70e7bdde29c42a9081be3f936a1
keywarden/docs/quickstart.md
Patrick Asmus (scriptos) 45baaf8db8
Some checks failed
PR Tests / Lint, Build & Test (pull_request) Failing after 45s
Details
Security Scan / Go Vulnerability Check (pull_request) Failing after 14s
Details
docs: add secure key generation guide for session and encryption keys
2026-04-05 17:58:02 +02:00

133 lines
3.7 KiB
Markdown
Raw Blame History

# Quick Start Guide
Get Keywarden running in under 5 minutes using Docker Compose.
## Prerequisites
- Docker and Docker Compose installed
- A Linux host (or any system that runs Docker)
## 1. Create Project Directory
```bash
mkdir keywarden && cd keywarden
```
## 2. Create Environment File
Create a `.env` file with at minimum these settings:
Generate two separate, cryptographically secure random strings (minimum 32 characters each):
```bash
# Linux / macOS
openssl rand -base64 48
# Alternative without OpenSSL
head -c 48 /dev/urandom | base64
# Windows (PowerShell)
[Convert]::ToBase64String((1..48 | ForEach-Object { Get-Random -Max 256 }) -as [byte[]])
```
Each command produces a 64-character Base64 string. Run it **twice** — once for each key — and paste the values below:
```env
# REQUIRED: Change these for security!
KEYWARDEN_SESSION_KEY=<first generated string>
KEYWARDEN_ENCRYPTION_KEY=<second generated string>
# Optional: Owner credentials (defaults: admin / auto-generated password)
KEYWARDEN_OWNER_USER=admin
KEYWARDEN_OWNER_EMAIL=admin@example.com
# Optional: Port (default: 8080)
KEYWARDEN_PORT=8080
```
> **Important:** The `KEYWARDEN_ENCRYPTION_KEY` is used to encrypt all private keys at rest. If you lose this key, stored private keys cannot be decrypted. Keep it safe!
## 3. Create docker-compose.yml
```yaml
services:
keywarden:
image: git.techniverse.net/scriptos/keywarden:latest
container_name: keywarden
restart: unless-stopped
ports:
- "${KEYWARDEN_PORT:-8080}:${KEYWARDEN_PORT:-8080}"
volumes:
- ./data:/data
env_file:
- .env
networks:
keywarden_net:
ipv4_address: 172.23.64.10
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:${KEYWARDEN_PORT:-8080}/api/health"]
interval: 30s
timeout: 5s
start_period: 10s
retries: 3
networks:
keywarden_net:
name: keywarden.dockernetwork.local
driver: bridge
ipam:
config:
- subnet: 172.23.64.0/24
gateway: 172.23.64.1
ip_range: 172.23.64.128/25
```
## 4. Start Keywarden
```bash
docker compose up -d
```
## 5. Get the Initial Password
On first startup, Keywarden creates an owner account and generates a secure random password. Check the logs:
```bash
docker compose logs keywarden
```
Look for output like:
```
════════════════════════════════════════════════════════════
Initial owner account created
Username: admin
Password: AbCdEf1234567890XyZw
Please change this password after first login!
════════════════════════════════════════════════════════════
```
## 6. Log In
Open your browser and navigate to `http://your-host:8080`, then log in with the credentials from the logs.
You will be prompted to change the initial password on first login.
## 7. Deploy the Master Key
After login, Keywarden displays the **system master key** (an Ed25519 public key). This key must be placed in the `~/.ssh/authorized_keys` file of the admin/root user on every server you want to manage.
The master key is shown on the **Admin Settings** page and in the startup logs.
```bash
# On each target server, as root:
echo "ssh-ed25519 AAAA... keywarden-system-master" >> ~/.ssh/authorized_keys
```
## What's Next?
- [Full Deployment Guide](deployment.md) — Production setup with HTTPS and reverse proxy
- [User Guide](user-guide.md) — How to manage SSH keys
- [Admin Guide](admin-guide.md) — How to manage servers and access assignments
- [Environment Variables](environment-variables.md) — All configuration options
Reference in New Issue View Git Blame Copy Permalink