Docs · Audit security

Manage audit keys

Generate, distribute, rotate and protect the X25519 key that encrypts your Team audit logs.

X25519, not Ed25519

TigerMole uses X25519 to encrypt ENC2 logs. Ed25519 is a different signing curve: it verifies chain integrity, but it is not an encryption-key replacement.

For a browser-generated key, use the key tool. The private key is generated in the browser and never leaves that tab.

Accepted formats

SPKI PEM (.pub) is recommended. The proxy also accepts 32 raw bytes, 64 hexadecimal characters or Base64 encoding of 32 bytes.

tigermole-proxy keygen
tigermole-proxy import-audit-key /path/to/team.pub
tigermole-proxy verify-keys --pub team.pub

Rotation

To rotate a key:

  1. Generate the new pair on a secure machine.
  2. Keep the old private key for historical logs.
  3. Import the new public key on every machine.
  4. Verify each installation before retiring the old public key.

Old logs remain encrypted to the previous key. Do not delete that private key until its retention period is complete.

Lost private keys

ENC2 logs encrypted to a lost private key are unrecoverable by design. TigerMole never has a copy. Generate a new pair, rotate the public key and document the affected history.

Decrypting

The decryptor tool runs in the browser and can be used offline after loading. The private key and logs stay in the tab.

Set up TeamAudit-log flow

Your privacy, your choice

We use essential cookies to keep the site working, and — only with your consent — analytics and advertising cookies. Read our Privacy Policy.