🚀 Feature: ephemeral private key (do not store private key on disk) #304

New Issue

Closed

opened 2026-02-04 18:42:16 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-04 18:42:16 +03:00

Owner

Copy Link

Originally created by @ItalyPaleAle on GitHub (May 28, 2025).

Feature description

Instead of saving the private key to disk, Pocket ID could optionally generate a key when it starts up and keep it in-memory only. This would be optional.

Pros:

• Private keys are never stored un-encrypted on disk (see also #580)
• The key is rotated frequently, every time Pocket ID starts up

Cons:

• The key changes every time Pocket ID is started, which means that tokens issued by Pocket ID would be invalidated on every restart. This may or may not be acceptable depending on what the downstream clients expect. This is why this feature is optional.

Pitch

This is another relatively simple feature to implement that helps protecting the "keys to the kingdom". It may not be suitable for all scenarios, but many users who run Pocket ID in their homelab would likely have minimal to no impact when using this.

Originally created by @ItalyPaleAle on GitHub (May 28, 2025). ### Feature description Instead of saving the private key to disk, Pocket ID could optionally generate a key when it starts up and keep it in-memory only. This would be **optional**. Pros: - Private keys are never stored un-encrypted on disk (see also #580) - The key is rotated frequently, every time Pocket ID starts up Cons: - The key changes every time Pocket ID is started, which means that tokens issued by Pocket ID would be invalidated on every restart. This _may or may not_ be acceptable depending on what the downstream clients expect. This is why this feature is optional. ### Pitch This is another relatively simple feature to implement that helps protecting the "keys to the kingdom". It may not be suitable for _all_ scenarios, but many users who run Pocket ID in their homelab would likely have minimal to no impact when using this.

OVERLORD added the feature label 2026-02-04 18:42:16 +03:00

OVERLORD closed this issue 2026-02-04 18:42:22 +03:00

OVERLORD commented 2026-02-04 18:42:30 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub (May 28, 2025):

I think the encryption idea makes sense, but this would introduce a point of failure and may just cause confusion for people if they are not the best at troubelshooting as well.

@kmendell commented on GitHub (May 28, 2025): I think the encryption idea makes sense, but this would introduce a point of failure and may just cause confusion for people if they are not the best at troubelshooting as well.

OVERLORD commented 2026-02-04 18:42:39 +03:00

Author

Owner

Copy Link

@ItalyPaleAle commented on GitHub (May 28, 2025):

Why would it be a point of failure?

Agree it can be confusing. I am thinking this should be optional for this reason.

@ItalyPaleAle commented on GitHub (May 28, 2025): Why would it be a point of failure? Agree it can be confusing. I am thinking this should be optional for this reason.

OVERLORD commented 2026-02-04 18:42:48 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub (May 29, 2025):

Im closing this as we can just track it in https://github.com/pocket-id/pocket-id/issues/580, since its seems like it can be part of that.

@kmendell commented on GitHub (May 29, 2025): Im closing this as we can just track it in https://github.com/pocket-id/pocket-id/issues/580, since its seems like it can be part of that.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#304