Sign inRegister

Long-lived machines

A SikkerKey machine identity with no built-in expiration date, used for servers, VMs, containers, and processes that should keep reading secrets until disabled or revoked.

What are long-lived machines?

Long-lived machines are SikkerKey machine identities for workloads that stay in place over time: servers, VMs, long-running containers, internal tools, and production services that need ongoing access to secrets.

Unlike temporary or ephemeral machines, a long-lived machine does not have a built-in expiration date. It remains available until the vault owner disables or revokes it.

How they are created

The normal creation path is bootstrap from the dashboard. The vault owner creates a single-use bootstrap token, copies the generated command, and runs it on the target machine.

The bootstrap script:

Only the public key is transmitted. The private key stays on the machine and is used to sign every later request.

The bootstrap token is single-use and short-lived. In the current dashboard flow, it expires after 10 minutes.

Approval and access

A newly bootstrapped long-lived machine cannot read secrets immediately. It appears in the dashboard as pending and must be approved by the vault owner.

After approval, the vault owner attaches the machine to projects and grants access to individual secrets. Project membership alone is not enough. A machine must be approved, active, attached to the project, and explicitly granted the secret it is trying to read.

Provisioned long-lived machines

SikkerKey also has dashboard provisioning flows that can create an approved long-lived machine and attach project and secret grants in one operation. Those machines are still long-lived when they have no built-in expiration date. The creation path differs, but the runtime identity model is the same: a machine identity, an Ed25519 keypair, project membership, and explicit secret grants.

Runtime authentication

Long-lived machines authenticate with signed requests. Each request includes the machine ID, timestamp, nonce, and Ed25519 signature. The signature binds the request method, path, body hash, timestamp, and nonce, so an intercepted request cannot be replayed later.

The private key is the identity material. SikkerKey stores the public key and verifies each request before returning any secret value.

Lifecycle

A long-lived machine has no automatic expiry. Operators manage its lifecycle manually:

This makes long-lived machines the right choice for stable infrastructure where the workload identity should persist across deploys and restarts.

See also

MachinesA non-human actor with its own cryptographic identity and access grants: a server, container, CI runner, or AI agent that needs to read secrets without a human signing in. Also called non-human identity (NHI) or workload identity.
Signed requestsAn authentication pattern where the client proves identity by signing each request with its private key, so the credential never travels with the request and an intercepted signature is bound to a single specific request.
Ed25519A modern elliptic-curve digital signature scheme. Fast, deterministic, and with small keys (32 bytes) and signatures (64 bytes), it's the default for modern SSH, TLS 1.3, and machine-to-machine authentication.
Secrets managerA system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.
Audit logAn append-only record of privileged actions, capturing who did what, when, and from where, so that operators and compliance reviewers can answer questions about historical behavior after the fact.
Bearer tokenA credential where possession alone proves identity. Anyone who holds the token can use it. API keys, OAuth access tokens, session cookies, and most personal access tokens are all bearer tokens.

SikkerKey is the secrets manager built around the patterns in this glossary. Encrypted vault, machine identity over signed requests, dynamic secrets — set up in minutes.

Start for Free