Manage audit keys
Generate, distribute, rotate and protect the X25519 key that encrypts your Team audit logs.
X25519, not Ed25519
TigerMole uses X25519 to encrypt ENC2 logs. Ed25519 is a different signing curve: it verifies chain integrity, but it is not an encryption-key replacement.
For a browser-generated key, use the key tool. The private key is generated in the browser and never leaves that tab.
Accepted formats
SPKI PEM (.pub) is recommended. The proxy also accepts 32 raw bytes, 64 hexadecimal characters or Base64 encoding of 32 bytes.
tigermole-proxy keygen
tigermole-proxy import-audit-key /path/to/team.pub
tigermole-proxy verify-keys --pub team.pub
Rotation
To rotate a key:
- Generate the new pair on a secure machine.
- Keep the old private key for historical logs.
- Import the new public key on every machine.
- Verify each installation before retiring the old public key.
Old logs remain encrypted to the previous key. Do not delete that private key until its retention period is complete.
Lost private keys
ENC2 logs encrypted to a lost private key are unrecoverable by design. TigerMole never has a copy. Generate a new pair, rotate the public key and document the affected history.
Decrypting
The decryptor tool runs in the browser and can be used offline after loading. The private key and logs stay in the tab.