Sign inRegister

Ephemeral machines

Short-lived SikkerKey machines created by enrollment tokens, auto-approved with preconfigured project and secret access, then disabled automatically when their lifetime expires.

What are ephemeral machines?

Ephemeral machines are short-lived SikkerKey machine identities created through enrollment tokens. They are designed for workloads that appear and disappear too quickly for manual approval: CI runners, autoscaling pods, short-lived containers, preview environments, and serverless cold starts.

Each ephemeral machine has its own expiration time and is tied to the enrollment token that created it. When that lifetime ends, the machine stops authenticating automatically.

How they are created

Ephemeral machines are created from enrollment tokens. An enrollment token is a reusable policy template, not a one-machine bootstrap token.

When creating an enrollment token, the vault owner configures:

The token value is shown once and is not stored by SikkerKey in plaintext. The enrollment URL also includes the vault ID, so the token value alone is not enough to enroll in the wrong vault.

What enrollment does

Each time the enrollment command runs, the machine generates its own Ed25519 keypair locally, sends the public key and hostname to SikkerKey, and receives a machine identity.

On successful enrollment, SikkerKey approves the machine immediately and applies the projects and secret grants configured on the enrollment token. There is no manual approval step because the enrollment token already defines the allowed scope.

Token lifetime vs machine lifetime

Enrollment tokens have two separate clocks:

Revoking, expiring, or exhausting the token stops new enrollments. It does not automatically revoke machines already created by that token. Existing ephemeral machines continue until their own lifetime ends unless revoked directly.

Runtime authentication

After enrollment, an ephemeral machine authenticates the same way as any other SikkerKey machine. It signs each request with its local Ed25519 private key, and SikkerKey verifies the signature against the stored public key before serving secrets.

The difference is lifecycle, not cryptography: the identity is short-lived and its project membership and secret grants are applied automatically from the enrollment token.

Expiration and cleanup

When an ephemeral machine reaches its expiration time, SikkerKey disables it automatically. Authentication is refused, but the machine remains visible for a retention period so the audit trail stays available.

After 30 days of retention, SikkerKey permanently deletes the expired machine and removes its project memberships and secret grants. The identity file on disk becomes inert.

When to use ephemeral machines

Use ephemeral machines when the workload is created repeatedly and predictably from automation. A CI pipeline, autoscaling group, or container fleet should not require a human to approve every new instance. The enrollment token becomes the controlled template, and every machine it produces gets its own short-lived identity and audit trail.

See also

MachinesA non-human actor with its own cryptographic identity and access grants: a server, container, CI runner, or AI agent that needs to read secrets without a human signing in. Also called non-human identity (NHI) or workload identity.
Long-lived machinesA SikkerKey machine identity with no built-in expiration date, used for servers, VMs, containers, and processes that should keep reading secrets until disabled or revoked.
Signed requestsAn authentication pattern where the client proves identity by signing each request with its private key, so the credential never travels with the request and an intercepted signature is bound to a single specific request.
Ed25519A modern elliptic-curve digital signature scheme. Fast, deterministic, and with small keys (32 bytes) and signatures (64 bytes), it's the default for modern SSH, TLS 1.3, and machine-to-machine authentication.
Secrets managerA system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.
Audit logAn append-only record of privileged actions, capturing who did what, when, and from where, so that operators and compliance reviewers can answer questions about historical behavior after the fact.

SikkerKey is the secrets manager built around the patterns in this glossary. Encrypted vault, machine identity over signed requests, dynamic secrets — set up in minutes.

Start for Free