Skip to main content

Store keys in files

You can generate a private and public key pair and store it in files.

The following command generates a key pair in the and new.key files. Provide the passwords at the interactive prompt that displays. Alternatively, leave the password empty to create an unencrypted (unlocked) private key file.

Security warning

Don't use unlocked private key files in production environments, as the private keys are exposed.

tessera -keygen -filename new

Generate multiple key pairs by providing a comma-separated list of values:

tessera -keygen -filename /path/to/key1,/path/to/key2

You can use the following command to automatically generate an unlocked private key file.

tessera -keygen -filename new < /dev/null

You can configure Tessera to use file-based keys.

Update password protected private keys

You can update the password of a file-based private key using the --keys.keyData.privateKeyPath command line option.

Run any of the following commands to set a new password:

  • Add a password to an unlocked key:
tessera -updatepassword --keys.keyData.privateKeyPath /path/to/.key
  • Change the password of a locked key. This requires providing the current password for the key (either inline or as a file):
tessera -updatepassword --keys.keyData.privateKeyPath /path/to/.key --keys.passwords <password>
  • Use different Argon2 options from the defaults when updating the password. You only need to provide options if you wish to override their defaults:
tessera --keys.keyData.privateKeyPath <path to keyfile> <algorithm> <iterations> <memory> <parallelism>