4Quays
Sign Up

Key Management

Manage cryptographic keys and lifecycle in 4Quays

4Quays centralizes the full key lifecycle. Applications never handle key material directly — all key operations go through the platform.

Key Types

Destination Public Keys

Public keys from external services used for encrypting payloads that only the destination can decrypt.

You import these from the external service via the policy detail page.

Supported Key Types

Classical Algorithms

TypeSizeUse Case
RSA2048, 4096Key wrapping

Post-Quantum Algorithms

TypeSizeUse Case
ML-KEM512, 768, 1024Key encapsulation

Importing Keys

Keys are uploaded via the policy detail page in the dashboard:

  1. Navigate to the policy that defines the relationship with the destination service
  2. In the key management section, click Upload Public Key
  3. Select the key type (e.g., RSA-2048)
  4. Paste the public key in PEM format
  5. Click Upload

The uploaded key is associated with the policy's destination service and becomes available for protect operations.

Key Lifecycle

Active

Key is available for use in protect/unprotect operations. Only one active key per policy at a time.

Retired

Key is no longer usable for new operations. Historical operations still reference it in audit logs.

Key Metadata

Track key information:

FieldDescription
Key IDUnique identifier
FingerprintHash for verification
TypeAlgorithm type (RSA-2048, ML-KEM-768, etc.)
Created AtWhen imported
StatusActive or Retired

Viewing Keys

The policy detail page shows associated keys, including:

  • Key metadata and status
  • Algorithm type
  • Fingerprint for verification

Best Practices

Naming and Documentation

Include context when importing keys — record the source, date received, and contact information for the external service that provided the key.

Security

  • Verify key fingerprints with the external service out-of-band
  • Only import keys received through secure channels
  • Review active keys periodically

What's Next