Set up TigerMole Team
Configure signed audit logs, ENC2 encryption and owner labels across your Team seats.
1. What Team adds
The Team tier adds an ED25519-signed audit chain, ENC2 encryption with your own X25519 key, JSON export, per-seat owner labels and optional value capture.
Protection remains local: prompts and masked secrets are never sent to TigerMole.
2. Activate the license
Use the same Team key on every machine. During activation, assign a readable owner label such as alice-laptop or runner-ci-01.
On Linux, the wizard requires an audit public key for Team or Custom licenses. On Windows you can import it during installation or later from the tray.
tigermole-proxy activate "$TIGERMOLE_LICENSE_KEY"
tigermole-proxy import-audit-key /path/to/team.pub
3. Generate the audit pair
Generate the pair once from the key tool. Distribute the public key (.pub) to machines; keep the private key in a vault or HSM and never share it.
You can also generate it on a secure machine:
tigermole-proxy keygen
4. Distribute and verify
Distribute the public key through your MDM or Ansible and import it before starting the proxy. Verify that every machine uses the same public key and that each label identifies its owner.
tigermole-proxy verify-keys --pub team.pub
PASS confirms the expected key format. If you see a curve error, check that the key is X25519: Ed25519 signs, but it cannot encrypt ENC2 logs.
5. Optional value capture
Value capture (audit_include_values) keeps the original value only inside an ENC2 line encrypted with your public key. Without a valid audit key, the value is discarded and only event metadata remains.
Enable it from the tray and restart the proxy. Confirm that your retention and access policy covers these values before enabling it.
Next step
Read the audit-key lifecycle and the complete encrypted-log flow.