A transparent and secure way to look up public keys.
Switch branches/tags
Clone or download
gdbelvin Change (low,high] to [low,high) intervals in HighWatarmarks (#1144)
* Swap inclusive/exclusive in meta

* impl ReaLog swap inclusive

* HighWatermarks
Latest commit 3a0c602 Dec 13, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd Enforce one trillian Map caller at a time with sequencer election (#1009 Dec 5, 2018
core Change (low,high] to [low,high) intervals in HighWatarmarks (#1144) Dec 13, 2018
deploy Enforce one trillian Map caller at a time with sequencer election (#1009 Dec 5, 2018
docs API: Rename Epoch to Revision (#1104) Nov 8, 2018
impl Change (low,high] to [low,high) intervals in HighWatarmarks (#1144) Dec 13, 2018
scripts Export Prometheus metrics to StackDriver (#996) Jun 26, 2018
.dockerignore Add .dockerignore file, move gcloud auth command to travis (#622) Jun 20, 2017
.gitignore Add integration test to code coverage metrics (#1010) Jul 6, 2018
.golangci.yml Replace a Map of LogSources with a List of LogSources (#1124) Nov 26, 2018
.gometalinter.json Remove Makefile and use standard gometalinter config (#1042) Sep 19, 2018
.keytransparency.yaml Simplify command line client flags (#738) Aug 12, 2017
.travis.yml Fix deployment scripts (#1143) Dec 5, 2018
AUTHORS Prevent protobuf nil pointer dereference (#600) Aug 8, 2017
CODEOWNERS Add CODEOWNERS file (#1032) Sep 6, 2018
CONTRIBUTING.md Main Title format fixed (#1007) Jun 27, 2018
CONTRIBUTORS Monitor verification logic (#768) Sep 1, 2017
LICENSE Add Licensing Jun 2, 2015
README.md API: Rename Epoch to Revision (#1104) Nov 8, 2018
client_secrets.json.enc Fix gcloud install and deploy script (#1060) Oct 9, 2018
codecov.yml Ignore generated files in code coverage (#1017) Jul 10, 2018
docker-compose.yml Enforce one trillian Map caller at a time with sequencer election (#1009 Dec 5, 2018
prototool.yaml prototool linting and formatting (#1105) Nov 8, 2018


Key Transparency

GoDoc Build Status Go Report Card codecov

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.

Key Transparency Client


  1. Install Go 1.10.
  2. go get -u github.com/google/keytransparency/cmd/keytransparency-client

Client operations

Generate a private key

keytransparency-client authorized-keys create-keyset -p password
keytransparency-client authorized-keys list-keyset -p password

Publish the public key

  1. Get an OAuth client ID and download the generated JSON file to client_secret.json.
keytransparency-client post user@domain.com --client-secret=client_secret.json --insecure -d 'dGVzdA==' #Base64

Get and verify a public key

keytransparency-client get <email> --insecure --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >

Verify key history

keytransparency-client history <email> --insecure
Revision |Timestamp                    |Profile
4        |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Running the server


  1. OpenSSL
  2. Docker
    • Docker Engine 1.13.0+ docker version -f '{{.Server.APIVersion}}'
    • Docker Compose 1.11.0+ docker-compose --version
  3. go get -u github.com/google/keytransparency/...
  4. go get -u github.com/google/trillian/...
  5. ./scripts/prepare_server.sh -f


  1. Run Key Transparency
$ cd $GOPATH/src/github.com/google/keytransparency
$ docker-compose up -d
Creating keytransparency_db_1 ...         done
Creating keytransparency_map_server_1 ... done
Creating keytransparency_log_server_1 ... done
Creating keytransparency_log_server_1 ... done
Creating keytransparency_server_1 ...     done
Creating keytransparency_sequencer_1 ...  done
Creating keytransparency_monitor_1 ...    done
Creating keytransparency_init_1 ...       done
Creating keytransparency_prometheus_1 ... done
Creating keytransparency_monitor_1 ...    done
  1. Watch it Run

Development and Testing

Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.

Directory structure

The directory structure of Key Transparency is as follows: