Need help with keywhiz?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

2.4K Stars 203 Forks Apache License 2.0 1.5K Commits 47 Opened issues


A system for distributing and managing secrets

Services available


Need anything else?

Contributors list


license maven build

Keywhiz is a system for distributing and managing secrets. For more information, see the website.

Our Protecting infrastructure secrets with Keywhiz blog post is worth reading, as it provides some useful context.


Keywhiz requires Java 11 and MySQL 5.7 or higher.

See CONTRIBUTING for details on submitting patches.

Build Keywhiz:

mvn install

Run Keywhiz:

java -jar server/target/keywhiz-server-*-shaded.jar [COMMAND] [OPTIONS]

Useful commands to get started are

. Use with
for a list of all available commands. Use with
[COMMAND] --help
to get help on a particular command.

For example, to run Keywhiz with a mysql database in development mode:


Initialize dev database

java -jar $SERVER_JAR migrate $KEYWHIZ_CONFIG

Add an administrative user

java -jar $SERVER_JAR add-user $KEYWHIZ_CONFIG

Run server

java -jar $SERVER_JAR server $KEYWHIZ_CONFIG

To connect to a running Keywhiz instance, you will need to use the CLI.

An example helper shell script that wraps the keywhiz-cli and sets some default parameters:


Set the path to a compiled, shaded keywhiz-cli JAR file

KEYWHIZ_CLI_JAR="/path/to/keywhiz-cli-shaded.jar" KEYWHIZ_SERVER_URL="https://$(hostname):4444"

Use these flags if you want to specify a non-standard CA trust store.

Alternatively, in development and testing specify the --devTrustStore

flag to use the default truststore (DO NOT use this in production, as

the truststore is checked into Keywhiz' code).


java "$TRUSTSTORE" "$TRUSTTYPE" -jar "$KEYWHIZ_CLI_JAR" -U "$KEYWHIZ_SERVER_URL" "[email protected]"

Keywhiz uses jOOQ to talk to its database.

If you made changes to the database model and want to regenerate sources:

mvn install -pl model/ -Pgenerate-jooq-sources

We recommend IntelliJ IDEA for development.

Clients & API

Square also maintains a Keywhiz client implementation called Keysync.


We ship a Dockerfile for building a Docker container for Keywhiz. Please see the Dockerfile for extra instructions.


Keywhiz is under the Apache 2.0 license. See the LICENSE file for details.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.