Key Management
How keys work
Cipher manages keys in an embedded SQLite store (~/.mdstn/cipher.db by default). Private keys are
Argon2id-wrapped at rest and never stored raw. The first time you encrypt, a default key is
generated automatically; you can also create keys explicitly.
Two key types are supported:
- X25519 (default) — an asymmetric keypair, used for recipient-based encryption and CKD.
- AES-256 (
--type aes256) — a symmetric key, useful for encrypting files for yourself.
List your keys
mdstn-cipher keys listCreate a key
mdstn-cipher keys create --alias project-key --expires-in 90d| Flag | Type | Default | Description |
|---|---|---|---|
--type | string | x25519 | Key type: x25519 or aes256 |
--alias | string | — | Human-friendly alias for the key |
--expires-in | duration | — | Lifetime, e.g. 30d, 4w, 720h |
--expires-at | RFC3339 | — | Absolute expiry, e.g. 2026-12-31T00:00:00Z |
Alias, export, and delete
# Assign an alias to an existing key
mdstn-cipher keys alias <key-id> project-key
# Export a key (PEM by default, or raw bytes)
mdstn-cipher keys export <key-id> --format raw --output key.bin
# Delete a key
mdstn-cipher keys delete <key-id>Share a key with a teammate
Cipher uses a policy/grant model for sharing managed keys.
mdstn-cipher share create project-key --with bob@team.com
mdstn-cipher share list
mdstn-cipher share revoke <policy-id> <grantee-id>Expiry notifications
Scan keys for expiry and record deduplicated notifications (intended for cron/scripts):
mdstn-cipher check-expiryPublishing for discovery (CKD)
To let others encrypt for you by email, publish your public key — see CKD.
Backup and recovery
Export keys and policies to a file, or recover an identity key — see Recovery & Backup.