Security
Updated July 14, 2026
A breach of us must not be a breach of you. Keyline is built so our servers cannot read your secrets, and so the claims on this page are verifiable instead of asserted.
1. What our servers hold
Ciphertext, wrapped keys, metadata, and audit events. Nothing else. Encryption and decryption happen on your machines with keys we never receive.
| Purpose | Primitive |
|---|---|
| Secret encryption | AES-256-GCM |
| Workspace key derivation | scrypt |
| Device identity + key wrapping | X25519, HKDF-SHA256 |
All primitives come from Node's built-in crypto. No third-party crypto libraries. The full scheme, including the key hierarchy, recovery paths, and known trade-offs, is public: encryption design document. The source is public too. Read it, don't trust us.
2. Access
- Devices, not passwords. Every CLI session proves possession of a device private key. The key lives in your OS keychain, or a 0600 file where no keychain exists. It never leaves the machine.
- Enrollment is invitation-only. Teammates join with one-time, expiring codes. There is no open signup path onto an existing workspace.
- Per-environment access. A member has no environment access until granted. Grants and revokes take effect immediately: revoking drops tokens, deletes wrapped keys, and marks devices revoked, in one step.
- The dashboard shows metadata only. No secret value ever reaches a browser. Sign-in is approved from a trusted CLI device, or via a single-use email link bound to an enrolled device.
3. Tamper-evident, publicly anchored audit
Every read, write, grant, and revoke lands in a hash-chained audit log. Editing, deleting, or reordering any event breaks the chain. And because a chain alone could in theory be rewritten wholesale, every workspace's chain head is witnessed daily in a public repository: keyline-anchors. The public sees only hashes. The point: history rewrites are detectable, even by us.
4. Platform
- TLS everywhere. HSTS, strict security headers, tight rate limits on auth paths.
- Access tokens are stored hashed and scoped; browser sessions expire in 8 hours.
- Payments run through Paddle as merchant of record. Card data never touches us.
- Error tracking is scrubbed twice: request data is dropped and secret-shaped fields are redacted before anything leaves the process.
5. Where we are honest about maturity
External review: the encryption design has not yet passed an independent security review. Engaging one is our launch gate, and the review packet is public.
SOC 2: we are at the start of a readiness program, not certified. We will state progress here as it happens, not before.
6. Reporting a vulnerability
Found something? We want to know, and we will not take legal action against good-faith research.
- Email support@keyline.sh with
SECURITYin the subject. - We acknowledge within 48 hours and keep you updated until resolution.
- Please give us a reasonable window to fix before public disclosure. We credit reporters unless you prefer otherwise.
- Out of scope: volumetric denial of service, spam, and social engineering of our users.
Machine-readable version: /.well-known/security.txt.