djara.dev / atp-keyserver
Secure storage and distribution of cryptographic keys in ATProto applications
fork atom
atp-keyserver / packages / server /
at main 1 folder 4 files
lib
README.md
main.ts
package.json
tsconfig.json
README.md

ATP Keyserver (Server)#

Keyserver service for secure storage and distribution of cryptographic keys in ATProto applications.

Features#

  • Asymmetric Key Management: Ed25519 keypair generation, storage, and retrieval
  • Symmetric Key Distribution: XChaCha20-Poly1305 group key management
  • Key Versioning: Full version history with rotation support
  • Group Access Control: Owner-based membership management
  • ATProto Service Auth: JWT authentication via ATProto service auth tokens
  • Access Logging: Security audit trail for all key access

Requirements#

  • Bun v1.0 or higher
  • Environment Variables:
    • DID (required): The DID of this deployed service
    • PORT (optional): Server port (defaults to 4000)
    • DB_PATH (optional): Path to SQLite database file (defaults to ./data/keyserver.db)

Installation#

cd packages/server
bun install

Development#

bun run dev

The server runs with DID=test in development mode with auto-reload enabled.

Production#

# Set required environment variable
export DID=did:web:keyserver.example.com

# Optional: set custom port
export PORT=4000

# Optional: set custom database path
export DB_PATH=/var/lib/keyserver/keyserver.db

# Start server
bun start

Docker Deployment#

Build the Image#

# From repository root
docker build -t atp-keyserver:latest .

Run with Docker#

docker run -d \
  -p 4000:4000 \
  -e DID=did:web:keyserver.example.com \
  -e PORT=4000 \
  -v keyserver-data:/app/data \
  --name atp-keyserver \
  atp-keyserver:latest

Docker Compose#

version: '3.8'
services:
  keyserver:
    build: .
    ports:
      - "4000:4000"
    environment:
      - DID=did:web:keyserver.example.com
      - PORT=4000
      - NODE_ENV=production
    volumes:
      - keyserver-data:/app/data
    restart: unless-stopped

volumes:
  keyserver-data:

Database persistence: The database is stored in /app/data/keyserver.db inside the container. Use Docker volumes to persist data across container restarts.

Deployment Checklist#

  1. Build: No build step required (Bun runs TypeScript directly)
  2. Environment: Set DID, PORT, and DB_PATH as environment variables
  3. Database: Ensure database directory has proper permissions and is backed up
  4. Reverse Proxy: Configure nginx or caddy to proxy to the server
  5. SSL/TLS: Terminate SSL at reverse proxy
  6. Monitoring: Monitor database size and access logs regularly

License#

See LICENSE.md