Skip to main content

KeyNanny

KeyNanny

Protection of system credentials – encrypted, HSM-capable and seamlessly integrated into Unix environments.

KeyNanny reliably protects infrastructure credentials such as database or service passwords, web server keys and API tokens from unauthorised access. Instead of storing sensitive information in plain text in configuration files, KeyNanny stores all secrets encrypted – and makes them available transparently to authorised processes via a Unix socket.

KeyNanny combines proven Unix operating system mechanisms, clever cryptographic key management and the cryptographic standard CMS/PKCS#7 to keep sensitive information out of persistently stored files – without requiring existing applications to be modified.

Request information

KeyNanny: Highlights

No more plain-text credentials: Access data is stored exclusively encrypted on disk. Values held in memory are only accessible to authorised processes via a Unix socket.

HSM support: The encryption keys of KeyNanny can optionally be protected as software keys on disk or in a hardware security module (HSM) via PKCS#11 – for maximum security in regulated environments.

No modification of existing applications required: Via a configuration file templating mechanism, applications that do not have native KeyNanny support can be transparently provisioned with protected credentials.

Features

  • Encrypted credential storage – All access data is persistently stored encrypted using CMS/PKCS#7 (AES-256). The encrypted files are not sensitive and can also be stored world-readable; the protection lies in the key, not the file.

  • Unix socket-based access – KeyNanny communicates exclusively via Unix Domain Sockets. Access is controlled via Unix file permissions – without additional network exposure. Each KeyNanny instance runs as the same Unix user as the accessing application.

  • Multi-instance architecture – Any number of parallel KeyNanny daemon processes (keynannyd) can be operated – one instance per application or namespace, with its own socket, its own user and its own set of credentials.

  • HSM integration via PKCS#11 – The encryption keys used by KeyNanny can be held in hardware security modules (HSMs).

  • Configuration file templating – Applications that require plain-text configuration files are provided via a template mechanism: on startup, a configuration with placeholders is rendered against KeyNanny values and written to a tmpfs directory. The application reads a complete, normal configuration – without ever leaving a password in the file system.

  • Secure credential transmission – Via an optional, easy-to-set-up web interface, passwords can be securely exchanged between administrators of different operator groups: the values are transmitted directly encrypted with the KeyNanny certificate, without ever passing over the network in plain text.

  • Automatic key rollover – Any number of generations of encryption certificates can be configured. KeyNanny automatically selects the currently valid encryption certificate for newly encrypted data; old data remains readable. A rekeying mechanism for all data facilitates cleanup when required.

  • Native OpenXPKI integration – Via the KeyNanny connector, credentials are integrated directly into OpenXPKI configurations. Database passwords, LDAP credentials and other secrets are read from KeyNanny without appearing in plain text in the OpenXPKI configuration.

  • Separation of responsibilities – Developers, service operators and operations administrators have clearly separated roles: developers maintain configuration templates without knowledge of production passwords; service operators can set service passwords without operations administrators being able to read them.

Use Cases

  • PKI infrastructure (OpenXPKI) – KeyNanny is the recommended credential store for OpenXPKI Enterprise Edition. Database passwords, LDAP bind credentials and other access data are sourced from KeyNanny. Integration is via the native KeyNanny::Connector without changes to the OpenXPKI application itself. Combined with an HSM, the encryption keys are modularly protected.

  • Web server key protection – Private keys for TLS certificates of web servers (e.g. Apache) no longer need to be available in plain text at startup. KeyNanny delivers the key passphrase directly to Apache via the SSLPassPhraseDialog mechanism – the private key is then only held with HSM protection.

  • Database credentials – Technical database users and their passwords are stored encrypted in KeyNanny. A password change requires no modification of configuration files or deployments.

  • Development and CI/CD – Configuration templates with KeyNanny placeholders can be safely versioned in Git repositories. Production passwords are never in the repository; the separation between configuration structure and sensitive values is structurally enforced.

  • Multi-team environments – In environments with separate operator groups (e.g. development, operations, security), KeyNanny enables the secure handover of credentials: an administrator of one group encrypts the value with the KeyNanny certificate of the target environment; the receiving administrator imports it without ever seeing the plain text.

Details

Deployment – KeyNanny is delivered as an RPM package for Red Hat RHEL and SuSE SLES Linux systems. Configuration is done per instance via configuration files under /etc/keynanny/. Each instance is operated as a systemd service via the included template keynannyd@.service.

Data storage – Encrypted credentials are stored as CMS/PKCS#7 blobs in the persistent file system under /var/lib/keynanny/storage/<namespace>/. The encrypted files are not security-critical; the protection lies exclusively in the private key. Decrypted values are held exclusively in RAM and are never written to disk.

Cryptographic infrastructure – Private keys and associated X.509v3 certificates are located under /var/lib/keynanny/crypto/. Software keys are stored as PEM-encoded RSA keys; when using HSMs, the key material remains in the HSM and is referenced via PKCS#11. Certificate globbing patterns enable implicit assignment of certificates to keys and thus simplify configuration during key changes.

Client integration – Credentials can be queried (get), set (set) and listed (list) via the command-line tool keynanny. Libraries for connecting to the KeyNanny protocol are available for many programming languages (Perl, Python, Golang, C). Shell scripts integrate directly via the socket and the keynanny tool.

Access control – Access to KeyNanny instances is natively controlled via Unix file system permissions on the socket file. Read and write permissions can be configured separately per instance, e.g. to separate read-only access for applications from write access for administrators.

Monitoring and logging – KeyNanny supports logging via Syslog (standard, facility local0), console or to log files via flexible configuration values. The encryption status of an installation can be verified via keynannyd --check.

Licence

  • KeyNanny is available as a subscription model. We are happy to inform you about our current pricing tiers.

Additional Options

  • HSM support

Maintenance and Support

Support

Would you like to learn more about our products
or request a demo?

Get in touch

PKI

Infrastructure

Use-Cases

Contact

  • Werner-Heisenberg-Str. 8
  • 85254 Sulzemoos, Germany
  • This email address is being protected from spambots. You need JavaScript enabled to view it.
  • +49 8135 314 000-0
© Whiterabbitsecurity