Loading...
Loading...
Every attestation your organization issues is cryptographically signed with a private key. Key Governance gives you full control over those signing keys — from creation and rotation to compromise response and retirement — with every action recorded in an immutable audit trail.
In traditional certificate systems, a compromised key means every credential it ever signed is suspect. Truthlocks takes a different approach: every key has a lifecycle, every lifecycle event is publicly auditable, and compromise recovery is built into the platform from day one.
Automatic
Key Rotation
Schedule rotation on your terms — 30 days, 90 days, or custom intervals. Old keys are gracefully retired while new ones take over seamlessly.
Instant
Compromise Response
If a key is compromised, trigger the compromise workflow from the Console. All attestations signed by the compromised key are flagged and replacement keys are generated.
Immutable
Audit History
Every key creation, rotation, revocation, and compromise event is recorded with SHA-256 integrity chains in the audit log — tamper-evident and exportable.
Every signing key follows a governed lifecycle managed through your Console dashboard or the API.
Step 01
A new Ed25519 signing key pair is generated when you create an issuer. The public key is registered in the Trust Registry; the private key is stored securely in the platform.
Step 02
When a rotation is triggered (manually or on schedule), a new key pair is created. The old key is marked as retired with a grace period for in-flight attestations.
Step 03
If a key is suspected to be compromised, the compromise workflow immediately revokes the key and flags all attestations it signed for re-verification.
Step 04
Retired keys remain in the audit log for historical verification. Old attestations signed with retired keys are still verifiable via the Transparency Log.
All public keys for your organization's issuers are registered in the Trust Registry and publicly discoverable for verification. No need to distribute keys manually.
Configure automatic key rotation intervals per issuer. The platform generates new keys, updates the registry, and retires old keys with zero downtime.
One-click key compromise declaration from the Console. Triggers immediate revocation, affected attestation flagging, new key generation, and audit event recording.
Global, real-time key revocation status. When a verifier checks an attestation, the platform automatically checks whether the signing key is still valid.
For organizations requiring multi-party authorization, key operations (rotation, compromise, retirement) can require governance approval before executing.
Every key event — generation, rotation, revocation, compromise — is recorded in the tamper-evident audit log with SHA-256 integrity chains, exportable for compliance.
Here's what happens when an organization suspects a key has been compromised — the most critical moment in key governance.
An administrator clicks 'Report Key Compromise' in the Console for the affected issuer, or calls POST /v1/issuers/{id}/keys/compromise via the API.
The platform marks the key as compromised in the Trust Registry. All future verification requests for attestations signed by this key will return a 'key_compromised' status.
Every attestation signed by the compromised key is identified. Depending on your configuration, these can be automatically revoked or flagged for manual review.
A fresh key pair is generated and registered in the Trust Registry. The issuer can immediately resume minting attestations with the new key.
The entire sequence — compromise declaration, revocation, re-keying — is recorded as a chain of audit events with timestamps and actor attribution.
Start managing your organization's signing keys with enterprise-grade governance, automated rotation, and instant compromise response.