Key Management
openme key management, Ed25519 key rotation, Curve25519 server key, openme key permissions, SPA key security, QR key provisioning
Server Keys
The server’s Curve25519 keypair is generated once by openme init and stored in /etc/openme/config.yaml at 0600. The public key is safe to share widely — it is embedded in every client config.
Rotation: If you rotate the server keypair, all clients need a new server_pubkey in their config. Use openme init --force to regenerate keys, then re-provision all clients with openme add.
Client Keys
Each client’s Ed25519 keypair is generated by openme add on the server. The private key is delivered out-of-band (copy/paste or QR code) and stored in ~/.openme/config.yaml at 0600.
Revocation
sudo openme revoke aliceTakes effect immediately — no server restart required. The client’s public key is removed from the server config and subsequent knock attempts are rejected.
Rotation
sudo openme revoke alice
sudo openme add alice # generates new keypair, prints new client configThe client must update their ~/.openme/config.yaml with the new private key.
Expiry
Set an expiry date when adding a client with limited access:
sudo openme add contractor --expires 2026-06-30T23:59:59ZAfter the expiry date, knock attempts from that client are silently rejected. The key remains in the config (for audit purposes) but is inactive.
QR Code Security
A QR code generated with openme add --qr contains the client’s private key. Treat it with the same care as a password:
- Show it briefly and do not store the image on shared systems
- Use
--no-privkeyto generate a QR that contains only the server info; the mobile device then generates its own keypair and you register the public key separately
Backup
The minimum set of files to back up:
| File | Contains | Sensitivity |
|---|---|---|
/etc/openme/config.yaml |
Server private key + all client public keys | High |
~/.openme/config.yaml |
Client private key | High |
Back up both files to encrypted storage. Loss of the server config means regenerating all client keys.