Key Governance.
Every attestation your organization issues is cryptographically signed with a private key. Key Governance gives you full control over those signing keys — from creation and rotation to compromise response and retirement — with every action recorded in an immutable audit trail.
Why Key Governance Matters
In traditional certificate systems, a compromised key means every credential it ever signed is suspect. Truthlocks takes a different approach: every key has a lifecycle, every lifecycle event is publicly auditable, and compromise recovery is built into the platform from day one.
Automatic
Key Rotation
Schedule rotation on your terms — 30 days, 90 days, or custom intervals. Old keys are gracefully retired while new ones take over seamlessly.
Instant
Compromise Response
If a key is compromised, trigger the compromise workflow from the Console. All attestations signed by the compromised key are flagged and replacement keys are generated.
Immutable
Audit History
Every key creation, rotation, revocation, and compromise event is recorded with SHA-256 integrity chains in the audit log — tamper-evident and exportable.
The Key Lifecycle
Every signing key follows a governed lifecycle managed through your Console dashboard or the API.
Step 01
Generate
A new Ed25519 signing key pair is generated when you create an issuer. The public key is registered in the Trust Registry; the private key is stored securely in the platform.
Step 02
Rotate
When a rotation is triggered (manually or on schedule), a new key pair is created. The old key is marked as retired with a grace period for in-flight attestations.
Step 03
Revoke / Compromise
If a key is suspected to be compromised, the compromise workflow immediately revokes the key and flags all attestations it signed for re-verification.
Step 04
Retire
Retired keys remain in the audit log for historical verification. Old attestations signed with retired keys are still verifiable via the Transparency Log.
Capabilities
Centralized Key Registry
All public keys for your organization's issuers are registered in the Trust Registry and publicly discoverable for verification. No need to distribute keys manually.
Scheduled Auto-Rotation
Configure automatic key rotation intervals per issuer. The platform generates new keys, updates the registry, and retires old keys with zero downtime.
Compromise Workflow
One-click key compromise declaration from the Console. Triggers immediate revocation, affected attestation flagging, new key generation, and audit event recording.
Revocation Registry
Global, real-time key revocation status. When a verifier checks an attestation, the platform automatically checks whether the signing key is still valid.
Governance Approval Workflows
For organizations requiring multi-party authorization, key operations (rotation, compromise, retirement) can require governance approval before executing.
Full Audit Trail
Every key event — generation, rotation, revocation, compromise — is recorded in the tamper-evident audit log with SHA-256 integrity chains, exportable for compliance.
How It Works
in Practice
Here's what happens when an organization suspects a key has been compromised — the most critical moment in key governance.
Admin triggers compromise
An administrator clicks 'Report Key Compromise' in the Console for the affected issuer, or calls POST /v1/issuers/{id}/keys/compromise via the API.
Key is immediately revoked
The platform marks the key as compromised in the Trust Registry. All future verification requests for attestations signed by this key will return a 'key_compromised' status.
Affected attestations are flagged
Every attestation signed by the compromised key is identified. Depending on your configuration, these can be automatically revoked or flagged for manual review.
New key is generated
A fresh key pair is generated and registered in the Trust Registry. The issuer can immediately resume minting attestations with the new key.
Audit event recorded
The entire sequence — compromise declaration, revocation, re-keying — is recorded as a chain of audit events with timestamps and actor attribution.
Zero-Compromise
Key Management.
Start managing your organization's signing keys with enterprise-grade governance, automated rotation, and instant compromise response.