Signing Keys

Repository Service for TUF (RSTUF) requires two sets of keys for Deployment and Service Setup: Root Key(s) (offline) and the Online Key.

Root Key(s) (offline)

The Root key(s) delegates trust to TUF. The number of keys is the number of identities/people who administer the top-level TUF Metadata.

RSTUF requires all Root key(s) only during the Service Setup specifically during the Ceremony process. This process also defines the Root key threshold, representing the number of Root key(s) for future offline operations.


See the number of Root keys/threshold example

An organization declares that it will utilize 5 (five) Root keys in order to administer the RSTUF Service. All 5 (five) people will be required to utilize their keys individually during the Ceremony process.

During the Ceremony process, the same organization defines that the threshold for Root metadata is 2 (two).

Root keys: 5
Root keys threshold: 2

The organization to perform Metadata Update process requires at least 2 (two) people to use their keys.


The root key(s) should be stored secured offline.

The key must be compatible with Secure Systems Library.

Online Key

The online key signs TUF metadata for the roles that use the online key.

RSTUF requires the online key during the Service Setup, specifically during the Ceremony process.

During RSTUF Worker service deployment, configure the online key using a supported Key Vault Service


  • Do not expose the online private key.

  • The online key should be stored and secured with limited access by RSTUF Workers only.


Targets, Snapshot, and Timestamp’s metadata use the online key for signing.

Generating Keys with RSTUF

RSTUF Command Line Interface (CLI) provides a feature for Key Generation (generate)

This command will generate cryptographic keys using the securesystemslib library. The user is requested to provide:

  1. the key type, from the supported list of encryption algorithms

  2. the key’s filename, whose path will be the current working directory

  3. a password, to encrypt the private key file

After the above procedure, two files, the private and public key (e.g., id_ed25519 and, will be generated in the current working directory.

The generated keys may be used in the Repository Service for TUF Ceremony process, for the online key or the TUF roles’ keys (root, targets, etc. keys).

❯ rstuf key generate

Choose key type [ed25519/ecdsa/rsa] (ed25519): ed25519
Enter the key's filename: (id_ed25519): id_ed25519
Enter password to encrypt private key file 'id_ed25519':

┃                   Key ID                   ┃ Key Type ┃                Public Key                 ┃
│ f2f9f111b4a8dfb3766c8066628c81bd3aef42b34… │ ed25519  │ bb713c55bbf9b13ff7f92193af55b2f65ae15e55… │