Kleidia Overview#
Audience: Operations Administrators, Security Professionals, End Users
Prerequisites: None
Outcome: Understand what Kleidia is and what it does
What is Kleidia?#
Kleidia is an enterprise-grade YubiKey management platform that enables centralized management of YubiKey devices across your organization. The system provides secure, web-based administration while ensuring that sensitive cryptographic operations are performed locally on user workstations.
Key Capabilities#
Centralized Management#
- Web-based Administration: Manage all YubiKey devices from a single web interface
- User Self-Service: Users can manage their own devices and certificates through a user-friendly dashboard
- Policy Enforcement: Define and enforce security policies across your organization
- Audit Trail: Complete logging of all operations for compliance and security
YubiKey Operations#
- Device Registration: Register and track YubiKey devices across your organization
- PIN/PUK Management: Set, change, and reset YubiKey PINs and PUKs securely
- Certificate Management: Generate, sign, and import PIV certificates using enterprise PKI
- Device Lifecycle: Complete lifecycle management from registration to retirement
Security Features#
- Vault-First Secret Management: All secrets stored in OpenBao
- Local Agent Architecture: Sensitive operations performed on user workstations, not servers
- RSA-OAEP Encryption: All sensitive data encrypted before transmission
- Session-Based Security: Agent keys expire with user sessions for zero standing access
- Enterprise PKI: Integration with OpenBao PKI for certificate signing
System Architecture#
Kleidia uses a hybrid architecture that combines:
- Self-Hosted Platform Services: Web frontend, API backend, database, and OpenBao running in your Kubernetes cluster (on-premises or your cloud subscription)
- Local Agents: HTTP-based agents running on user workstations for YubiKey operations
- Frontend-Mediated Communication: Browser orchestrates operations between platform services and local components
Note: Kleidia is always self-hosted in your infrastructure. There is no multi-tenant SaaS offering. The “managed appliance” option means Kleidia operates a dedicated cluster within your environment—not a shared cloud service.
High-Level Components#
Frontend#
- Technology: Vue.js with Nuxt.js 4
- Purpose: User interface for managing YubiKeys
- Deployment: Runs in Kubernetes cluster
- Access: Web browser via HTTPS
Backend#
- Technology: Go/Gin REST API server
- Purpose: Authentication, authorization, secret encryption, Vault integration
- Deployment: Runs in Kubernetes cluster
- Communication: HTTPS API endpoints
Agent#
- Technology: Go HTTP server
- Purpose: Execute YubiKey operations locally on workstations
- Deployment: Runs on user workstations (localhost:56123)
- Communication: Direct HTTP from browser to localhost
Infrastructure#
- PostgreSQL: Database for users, devices, sessions, and audit logs
- OpenBao: Secrets management and PKI certificate authority
- Kubernetes: Container orchestration platform
Value Proposition#
For Organizations#
- Centralized Control: Manage all YubiKeys from a single platform
- Security Compliance: Complete audit trails and policy enforcement
- Scalability: Supports thousands of users and devices
- Enterprise Integration: Works with existing PKI and identity providers
For Administrators#
- Easy Deployment: Helm chart-based deployment with automated setup
- Operational Simplicity: Kubernetes-native architecture with standard tooling
- Monitoring: Built-in health checks and logging
- Maintenance: Automated backups and upgrade procedures
For End Users#
- Self-Service: Manage your own YubiKey devices
- Simple Interface: Intuitive web interface for common operations
- Secure Operations: All operations performed securely on your workstation
- Zero Configuration: Agent works automatically after installation
Use Cases#
Enterprise YubiKey Management#
- Register and track YubiKey devices across the organization
- Enforce security policies and PIN requirements
- Generate and manage PIV certificates for authentication, code signing
- Monitor device usage and security events
Certificate Lifecycle Management#
- Generate Certificate Signing Requests (CSRs) from YubiKeys
- Sign certificates using enterprise PKI (Vault)
- Import signed certificates to YubiKey PIV slots
- Track certificate expiration and renewal
Security Compliance#
- Complete audit logging of all operations
- Policy enforcement and compliance reporting
- Secure secret management in Vault
- Session-based access control
Deployment Options#
Kleidia supports two deployment models:
| Model | Description | Infrastructure |
|---|---|---|
| Self-Managed | You deploy and operate Kleidia in your Kubernetes cluster | Your on-premises or cloud infrastructure |
| Managed Appliance | Kleidia team operates a dedicated cluster for you | Dedicated cluster in your environment or cloud subscription |
In both models, all data remains under your control—Kleidia never operates as a shared multi-tenant service.
Next Steps#
- Quick Evaluation: See POC Quickstart for a hands-on first experience
- Understanding Architecture: See Architecture Overview
- Planning Deployment: See Deployment Prerequisites
- Security Details: See Security Overview
- Using the System: See User Guides