scriptos/keywarden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
268955732ad5f70e7bdde29c42a9081be3f936a1
keywarden/docs/user-guide.md
Patrick Asmus (scriptos) fd13e67aef
Some checks failed
Release Docker Image / Build & Push Docker Image (release) Failing after 1m30s
Details
Release: v0.1.0-alpha
2026-04-05 16:56:16 +02:00

5.5 KiB
Raw Blame History

User Guide

This guide covers everyday usage of Keywarden for all authenticated users. For administrative tasks (server management, access assignments, etc.), see the Admin Guide.

Logging In

Navigate to your Keywarden instance in a web browser and enter your username and password.

  • If MFA is enabled on your account, you will be prompted for a TOTP code after entering your password.
  • If your account is locked due to too many failed login attempts, wait for the lockout period to expire or ask an administrator to unlock it.
  • If you were invited via email, use the invitation link to set your password before logging in.

Dashboard

The dashboard provides an overview of your environment:

  • Key Count — Number of SSH keys you own
  • Server Count — Servers you have access to (admins/owners see all servers)
  • Group Count — Server groups (admins/owners see all groups)
  • Assignment Count — Access assignments related to you
  • Recent Keys — Latest SSH keys
  • Recent Audit Log — Your recent activity (admins see global activity)
  • Recent Deployments — Latest key deployment results

SSH Key Management

Generating Keys

  1. Navigate to KeysGenerate Key
  2. Fill in the form:
    • Name: A descriptive name for the key (e.g., "Production Deploy Key")
    • Key Type: Choose between:
      • Ed25519 (recommended) — Fast, secure, compact. 256-bit.
      • RSA 2048 — Widely compatible
      • RSA 4096 — Maximum RSA security
      • Ed448 — 224-bit security level (experimental)
    • Comment: Optional comment embedded in the public key
  3. Click Generate

The private key is encrypted with AES-256-GCM and stored in the database. It never touches the filesystem in plaintext.

Importing Keys

  1. Navigate to KeysImport Key
  2. Enter a name for the key
  3. Paste the private key (PEM format) into the text area
  4. Click Import

Keywarden automatically detects the key type (RSA, Ed25519, Ed448) and extracts the public key and fingerprint.

Viewing Keys

The Keys page lists all your SSH keys with:

  • Name, type, key size
  • SHA-256 fingerprint
  • Creation date

Admins and owners see all keys in the system, grouped by owner.

Downloading Keys

From the key list, you can download:

  • Public Key — For deployment to servers
  • Private Key — Decrypted and downloaded (use with caution)

Deleting Keys

Click the delete button next to a key. This permanently removes both the public and encrypted private key from the database.

Note: Deleting a key from Keywarden does not remove it from servers where it was previously deployed.

My Access

Navigate to My Access to see all access assignments that grant you access to servers:

  • Target — Server or server group
  • System User — The Linux user account on the target server
  • SSH Key — Which of your keys is deployed
  • Sudo — Whether sudo privileges are granted
  • Status — Current sync status (pending, synced, failed)
  • Initial Password — If a system user was created for you, the initial password is shown here

This is a read-only view. Only administrators can create, modify, or delete access assignments.

User Settings

Navigate to Settings to manage your account:

Theme

Choose between:

  • Auto — Follows your system/browser preference
  • Light — Always light mode
  • Dark — Always dark mode

Password Change

Change your password. The new password must comply with the configured password policy (displayed on the form).

Two-Factor Authentication (MFA)

Enabling MFA

  1. Go to SettingsTwo-Factor Authentication
  2. Click Enable MFA
  3. Scan the QR code with an authenticator app (Google Authenticator, Authy, etc.)
  4. Enter the 6-digit code from your app to confirm
  5. MFA is now active for your account

Disabling MFA

Click Disable MFA in settings. This is only available if the administrator has not enforced MFA system-wide.

If MFA is enforced by the administrator, you must set it up before you can access any other page.

Email Notifications

If email is configured, you can enable Login Notifications. Every time someone logs into your account, you'll receive an email with:

  • IP address
  • Timestamp
  • User agent (browser)

Profile Picture

Upload a profile picture (avatar) that is displayed next to your name in the navigation. Supported formats: JPEG, PNG, GIF, WebP. Maximum size is limited by the server's request size limit.

Audit Log

Navigate to Audit to view the activity log:

  • Regular users see their own activity
  • Admins see activity from all non-owner users
  • Owners see all activity

The audit log records every significant action including logins, key operations, deployments, settings changes, and administrative actions.

Forced Password Change

If an administrator flags your account for a mandatory password change, you will be redirected to the password change page on every request until you set a new password. This typically happens:

  • After your initial account creation
  • If an admin resets your password
  • If there's a security concern

Invitation Flow

If you receive an invitation email:

  1. Click the invitation link
  2. You'll see a registration page with your pre-assigned username
  3. Choose a password that meets the password policy
  4. Confirm the password
  5. Click Set Password
  6. You can now log in with your username and new password
Reference in New Issue View Git Blame Copy Permalink