Guides

FAQ

Guides

Welcome to Goodkey!

Explore these easy-to-follow guides to quickly set up and make the most of Goodkey. Whether you're just getting started, implementing document signing, automating code signing, performing SSH authentication, or integrating Goodkey with your favorite applications, you'll find all the resources you need right here.

Access Control

To address the challenge of secure and convenient usage and delegation of cryptographic keys, Goodkey has developed its own access management system — for both participant management and delegation or approval of cryptographic operations between organization members and teams. Learn more about the access management system.

Supported Algorithms

Goodkey supports most of the current algorithms to meet all your needs. We also stay up to date with innovations and use PQ algorithms to ensure maximum security for your operations. View the list of supported algorithms.

Getting Started with Goodkey: Creating Keys and Installing Certificates

Follow these step-by-step instructions to quickly set up your Goodkey account, create your first cryptographic key, generate a certificate signing requests (CSRs), and install certificate the coresponding certifictes via the Goodkey web application.

  1. Open Goodkey's web app
  2. Complete the authorization process
  3. Create your organization or accept an invite if you have one
  4. Click "+ New", then select "Create new"
  5. Set key attributes, including title, cryptoperiod, type, size, and usage mode (signing or encryption)
  6. Submit the form by clicking "Create key" and wait for the process to complete
  7. Click the arrow in the top-right corner and select "Create CSR"
  8. Follow the steps to generate the CSR and download it. This allows you to obtain a certificate for your key
  9. Contact a trusted provider to get a certificate based on your needs
  10. Navigate to the "Certificates" section in the left sidebar
  11. Click "+ New", then select "Install certificate"
  12. Upload the certificate, verify that the name is correctly parsed, and finalize the process
  13. Open the certificate from the list and check that it is linked to your key

Install Goodkey application

Goodkey enables crypto operations using keys from cloud providers on your local device. To connect your cloud keys with your device, install the Goodkey application, available for macOS and Windows 10 or later. Application allowed from the link

  1. Create Organization
  2. Download the application.
  3. Open the installer and follow the installation steps
  4. Authorize in the terminal by running the command:
  5. Complete authorization in the browser when redirected
  6. Select your organization where your keys are stored and submit the form
  7. Verify authorization status in the terminal

Firmware Signing with Goodkey and OpenSSL

Goodkey offers a secure and convenient solution for signing firmware images. By seamlessly integrating the Goodkey PKCS#11 module into your preferred interface, you can not only sign firmware images but also securely transmit and manage your private keys — all while keeping them safely stored in the cloud.

  1. Create a signing key
  2. Generate a CSR from your signing key
  3. Obtain a certificate from a trusted provider
  4. Install the certificate in Goodkey
  5. Install the Goodkey Local Application
  6. Authorize using the Goodkey Local Application
  7. Verify that the needed key is available in your Goodkey account.
    Run:
    Copy the key's ID and Name of the key that you want to use.
  8. Install libp11 to provide a high-level interface for accessing PKCS#11 objects
  9. Set the variable for OpenSSL to connect with your PKCS#11 module
  10. Set the variable for OpenSSL to connect with the libp11 engine

    For Mac with ARM-based architecture (Apple Silicon):

    For Mac with Intel-based architecture:


    Note: If you are using a different architecture or operating system, please contact us for detailed instructions specific to your case.
  11. Sign your Firmware Container. Run the following command, replacing the variables with your actual values:
    KEY_NAME: the name of the key you copied in previous steps
    FIRMWARE_SIGNATURE_PATH: the path to save the signature file
    FIRMWARE_FILE_PATH: the path to the firmware file you want to sign
  12. Save the public key to a separate file. Run the following command, replacing:
    KEY_ID: the ID of the key you copied in previous steps
    PUBLIC_KEY_PATH: the path where you want to save the public key
  13. Verify the Signature. Run the following command, replacing variables:

Signing with SignTool

Goodkey integrates into Windows OS as a cryptographic provider, enabling cryptographic operations with Goodkey certificates using system utilities like Certutil and SignTool.

  1. Create a signing key
  2. Generate a CSR from your signing key
  3. Obtain a certificate from a trusted provider
  4. Install the certificate in Goodkey
  5. Install the Goodkey Local Application
  6. Authorize using the Goodkey Local Application. (The video demonstrates authorization using an Access Token. If you don’t need to automate the process, you can use regular authorization)
  7. List your certificates in PowerShell with the following command:
    '
  8. Find the Goodkey certificate you want to use and save its thumbprint
  9. Enable SignTool in the Command Line Interface by running:
  10. Sign your code using SignTool and the Goodkey certificate:
  11. Verify the signature with the following command:
  12. Now your code is securely signed with Goodkey!

Configuring Document Signing with Goodkey and Adobe Acrobat

Learn how to set up document signing by integrating Goodkey's PKCS#11 cryptographic module with Adobe Acrobat. Follow these clear instructions to create keys, install certificates, and seamlessly sign documents using cloud-based cryptographic resources.

  1. Create a signing key
  2. Generate a CSR from your signing key
  3. Obtain a certificate from a trusted provider
  4. Install the certificate in Goodkey
  5. Install the Goodkey Local Application
  6. Authorize using the Goodkey Local Application
  7. Open Adobe Acrobat Reader
  8. Go to "Preferences"
  9. Select "Signatures", then find "Identities & Trusted Certificates" and click "More"
  10. In the opened window, navigate to "PKCS#11 Modules and Tokens"
  11. Click "Attach Module"
  12. Enter the path to the Goodkey PKCS#11 module and click "OK". Module path:

Commit Signing

Goodkey enhances security in your development process. Using integration with GPG via Goodkey's PKCS #11 module, you can sign your commits with a protected key. Your non-exportable private key remains securely in the cloud, ensuring that no one but you can publish code under your name.

  1. Create a signing key
  2. Generate a CSR from your signing key
  3. Obtain a certificate from a trusted provider
  4. Install the certificate in Goodkey
  5. Install the Goodkey Local Application
  6. Authorize using the Goodkey Local Application
  7. Install the GPG integration via gkutils.

    Pay attention: This integration uses the Homebrew package manager and also installs a helper utility gnupg-pkcs11-scd. If you cannot use Homebrew or this helper, contact us for alternative instructions.

    Run the following command:
  8. Verify that the needed certificate is available in your Goodkey account.
    Run:
    Copy the GPG ID of the certificate you want to use.
  9. Reload the GPG agent
  10. Register your signing credentials in GPG.

    10.1. Start the key generating process:

    10.2. Choose option 13 ("Existing key from card").

    10.3. Enter the copied GPG ID when asked for the keygrip.

    10.4. Complete the configuration with simple settings.
  11. Check that the key was imported and is listed
    Find the imported key and copy its ID from the pub line
  12. Export the public key. Paste copied ID to the command:
    Copy the exported result.
  13. Go to your GitHub account settings → SSH and GPG keys → New GPG key, and paste the copied key there.

Signing with quorum

Need to share your personal or company keys but worried about security? Goodkey enables secure key sharing with your teammates. Grant them permission to perform operations with your key without transferring it directly, and set up a Quorum to monitor their actions. With Quorum enabled, your teammate must coordinate with you for every key-related operation.

  1. Open the key you want to share
  2. Increase the quorum count by clicking on counter
  3. Add yourself to the key’s permissions as an Approver
  4. Invite the person you want to share the key with
  5. Ask them to perform an operation
  6. Open the shared key and go to the Operations page
  7. Locate the operation in the "Pending" state
  8. Approve the operation to proceed
  9. The operation flow will continue for the user who initiated it

Integration with Slack

Want to stay informed about your keys in a user-friendly interface? Goodkey has integration with Slack, where you can conveniently track and confirm actions related to your keys.

  1. Open your organization’s settings
  2. Go to the "Integrations" tab
  3. Find Slack integration and click "Activate"
  4. Authorize the workspace by following Slack’s instructions
  5. Return to the integrations page an "Active" status next to Slack integration means that your Organization members could now set up the connection inside the selected Slack workspace
  6. Click "Connect" to start receiving Goodkey notifications in Slack
  7. Install the application by following Slack’s instructions
  8. You’re all set! Now, you’ll receive Slack notifications whenever someone uses your key or requests your approval for an operation

FAQ

Welcome to Goodkey!

Explore these easy-to-follow guides to quickly set up and make the most of Goodkey. Whether you're just getting started, implementing document signing, automating code signing, performing SSH authentication, or integrating Goodkey with your favorite applications, you'll find all the resources you need right here.

How does Goodkey work?

Goodkey is a comprehensive service for securely storing and managing cryptographic keys and their associated credentials, designed to accommodate both human and agentic (automated) workloads. It provides a user-friendly web interface for creating and managing access to your keys, alongside a local service for securely executing cryptographic operations between your local data and cloud-hosted keys. This setup ensures a seamless, secure workflow whether you're an individual user or managing large-scale automated processes.

How do you protect my keys?

At key-generation or import time, you choose how your keys are to be protected. One option is to store keys in a FIPS 140-3 Level 3 Hardware Security Module (HSM). We provide cryptographic attestations from the HSM manufacturer—generated at runtime—offering visibility into the security policies like exportability it enforces.

Because not all algorithms are supported by HSMs, we also offer software-based protection for both key generation and key usage. These software implementations use a dedicated organizational key—secured in the HSM—to protect your keys at rest. We also follow best practices around key handling to minimize risks for keys at rest and in use.

In both cases key exportability is not supported.

Our goal is to let you choose the level of security that best meets your needs while still giving you access to the cryptographic algorithms required to support your use cases.

How can I securely share my keys with Goodkey?

Compromised credentials are a leading cause of security breaches—Verizon reports a high percentage of breaches involve stolen or misused credentials. While sharing cryptographic credentials like SSH keys or certificates is often discouraged, it's sometimes unavoidable (e.g., GPG or S/MIME keys for secure email).

Goodkey solves this by allowing you to share access—not the keys themselves. The raw cryptographic material never leaves Goodkey; other users or systems can perform operations without needing the private key in hand. This dramatically reduces the risk of compromise by keeping keys securely managed at all times.

Can Goodkey help automate code signing?

Yes! One of Goodkey's earliest use cases was enabling distributed teams to securely manage code signing for everything from test builds to final releases. Goodkey integrates with common code signing utilities and works seamlessly in CI/CD pipelines or GitHub Actions. For production releases, our quorum-based approval process helps ensure that the right people authorize final binaries before they reach customers, reducing their exposure to compromised CI pipelines.

What Operating Systems does Goodkey support?

MacOS 10.12 or greater, Windows 10 and later, Ubuntu coming soon.

Can I migrate to Goodkey if I already have keys and certificates?

Yes! Goodkey allows you to import your existing keys and certificates in popular formats such as PKCS#8, PKCS#12, .pem, .der, and more.

Can I use Goodkey with my existing applications and tools?

Absolutely! Goodkey integrates as a cryptographic provider via PKCS#11, Windows Key Storage Provider, Windows Certificate Store Providers, and macOS TokenKit. This covers tools like SSH, Adobe Acrobat, Outlook, SignTool, GPG, and other native cryptographic utilities—ensuring a seamless fit with the workflows you already rely on.

Can I use cryptographic keys while offline?

No. GoodKey is designed to ensure that all private keys and cryptographic operations remain in a protected environment. Because the private keys never leave GoodKey's control, an online connection is required to access GoodKey and perform signing, decryption, or other cryptographic tasks.

Can I get a dedicated deployment for my organization?

Yes. For organizations requiring additional isolation or compliance guarantees, GoodKey supports dedicated or private cloud deployments. This lets you run the GoodKey platform in an environment that's isolated from other tenants, offering greater control over performance, network configuration, and compliance requirements.