Keypairs & signing
kovra can custody an asymmetric keypair: it generates the key, seals the private half under the vault master key, and never writes the private key to disk or prints it. You operate through kovra — signing, verifying, encrypting, decrypting — without the private key ever leaving the vault.
Generate a keypair
Section titled “Generate a keypair”kovra keygen creates the key and shows only the public half. Choose
ed25519 (signing and encryption) or rsa (signing/SSH only):
~ % kovra keygen secret:dev/ssh/deploy --type ed25519Generated dev/ssh/deploy (ed25519, Medium).ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnM/+Nl+/2Y/uEZNK5Q7ZEdQEMmOGXB6PTQg2hWJaSwWindows — coming soon. The same model on Windows Hello + Credential Manager.
The entry lists with a typed mode of keypair:ed25519. Reprint the public key
any time — this is free and never prompts:
~ % kovra pubkey secret:dev/ssh/deployssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnM/+Nl+/2Y/uEZNK5Q7ZEdQEMmOGXB6PTQg2hWJaSwWindows — coming soon. The same model on Windows Hello + Credential Manager.
Sign and verify
Section titled “Sign and verify”kovra sign signs data from a file or stdin; the signature goes to stdout.
kovra verify checks it. Signing with a high/prod key asks you to
bioProve it; verifying is
always free:
~ % printf 'release v1.2.3' | kovra sign secret:dev/ssh/deploy > sig.binWindows — coming soon. The same model on Windows Hello + Credential Manager.
~ % printf 'release v1.2.3' | kovra verify secret:dev/ssh/deploy --signature sig.binOK: signature is validWindows — coming soon. The same model on Windows Hello + Credential Manager.
Verification also works against a public-only entry — a peer’s public key you
stored with kovra add --public-key (it holds no private half), so you can verify
a colleague’s signatures without their private key.
Encrypt and decrypt
Section titled “Encrypt and decrypt”For an ed25519 keypair, kovra can also encrypt to the public key and decrypt
with the private key (an age-based sealed box). Encrypting is free;
decrypting with a high/prod key asks you to bioProve it:
~ % printf 'a short secret note' | kovra encrypt secret:dev/ssh/deploy > ct.binWindows — coming soon. The same model on Windows Hello + Credential Manager.
~ % kovra decrypt secret:dev/ssh/deploy ct.bina short secret noteWindows — coming soon. The same model on Windows Hello + Credential Manager.
RSA keypairs sign and verify (and work as SSH keys) but do not support
encryption — use ed25519 when you need sealing.
Why this matters
Section titled “Why this matters”The private key is generated inside the vault and never materializes on disk or in your shell. An agent or a script can ask kovra to use the key — sign a release, open a sealed message — but cannot exfiltrate it, and every use of a sensitive key is gated and audited. For loading a key into an SSH session, see the governed ssh-agent.