Key Management
Server Keys
The server’s Curve25519 keypair is generated once by openme init and stored in /etc/openme/config.yaml at 0600. The public key is safe to share widely — it is embedded in every client config.
Rotation: If you rotate the server keypair, all clients need a new server_pubkey in their config. Use openme init --force to regenerate keys, then re-provision all clients with openme add.
Client Keys
Each client’s Ed25519 keypair is generated by openme add on the server. The private key is delivered out-of-band (copy/paste or QR code) and stored in ~/.openme/config.yaml at 0600.
Revocation
sudo openme revoke aliceTakes effect immediately — no server restart required. The client’s public key is removed from the server config and subsequent knock attempts are rejected.
Rotation
sudo openme revoke alice
sudo openme add alice # generates new keypair, prints new client configThe client must update their ~/.openme/config.yaml with the new private key.
Expiry
Set an expiry date when adding a client with limited access:
sudo openme add contractor --expires 2026-06-30T23:59:59ZAfter the expiry date, knock attempts from that client are silently rejected. The key remains in the config (for audit purposes) but is inactive.
QR Code Security
A QR code generated with openme add --qr contains the client’s private key. Treat it with the same care as a password:
- Show it briefly and do not store the image on shared systems
- Use
--no-privkeyto generate a QR that contains only the server info; the mobile device then generates its own keypair and you register the public key separately
Backup
The minimum set of files to back up:
| File | Contains | Sensitivity |
|---|---|---|
/etc/openme/config.yaml |
Server private key + all client public keys | High |
~/.openme/config.yaml |
Client private key | High |
Back up both files to encrypted storage. Loss of the server config means regenerating all client keys.