Key Management
Tenuo uses a hierarchical key structure to enable secure delegation of authority. This page explains how to manage keys in the dashboard.
Key Hierarchy
ββββββββββββββββ
β Root Key β
β (Ed25519) β
ββββββββ¬ββββββββ
β
ββββββββββββββΌβββββββββββββ
βΌ βΌ βΌ
ββββββββββββ ββββββββββββ ββββββββββββ
β Issuer 1 β β Issuer 2 β β Issuer 3 β
ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ
β β β
βΌ βΌ βΌ
Warrants Warrants WarrantsKey Types
| Type | Purpose | Created By |
|---|---|---|
| Root | Signs issuer keys, anchor of trust | You (via dashboard/API) |
| Issuer | Signs warrants for agents | Root key |
| Notary | Signs receipts for audit trail | Root key |
Creating Keys
Navigate to Keys
Click Keys in the sidebar, then click Create Key
Select Key Type
Choose Root, Issuer, or Notary
Configure Key
- Name: A descriptive name (e.g., "Production Issuer")
- Parent Key: For issuer/notary keys, select the signing root key
- Expiration: Optional expiration date
Create
Click Create Key. The key is generated and stored securely.
Root keys should be created sparingly. Most organizations need only 1-2 root keys.
Key Operations
View Key Details
Click on any key in the list to view:
- Key ID and fingerprint
- Creation date and expiration
- Parent key (for issuer/notary)
- Child keys signed by this key
- Recent operations
Rotate a Key
Key rotation creates a new key version while maintaining the key ID:
- Click on the key β Rotate
- Confirm the rotation
- The old key version is marked as rotated
- New warrants will use the new key version
Existing warrants signed with the old key version remain valid until they expire or are revoked.
Revoke a Key
Revoking a key invalidates it and all warrants it has signed:
- Click on the key β Revoke
- Enter a revocation reason
- Confirm the revocation
Revoking an issuer key invalidates all warrants signed by that key. Use with caution.
Suspend a Key
Temporarily disable a key without full revocation:
- Click on the key β Suspend
- The key cannot sign new warrants while suspended
- Re-enable with Enable when ready
Key Hierarchy View
The Keys β Hierarchy page shows a visual tree of your key structure:
- See parent-child relationships at a glance
- Identify orphaned or expired keys
- Understand your trust chain
Best Practices
Use separate issuer keys per environment
Create different issuer keys for development, staging, and production. This limits blast radius if a key is compromised.
Set reasonable expiration dates
Root keys can have longer lifetimes (1-2 years). Issuer keys should rotate more frequently (30-90 days).
Monitor key usage
Review the audit log regularly to detect unusual key activity.
Have a rotation plan
Document your key rotation procedures before you need them.