Revoking Someone's Access
When a team member leaves or a device is compromised, you can revoke their access to the project’s secrets using Kānuka.
Previewing revocation
Section titled “Previewing revocation”Before revoking access, you can preview what would happen using the --dry-run flag:
This shows:
- Which files would be deleted (public keys and encrypted symmetric keys)
- Which config entries would be removed
- How many remaining users would have their keys rotated
No changes are made when using --dry-run, so you can safely verify the impact
before executing the revocation.
Revoking by email
Section titled “Revoking by email”To revoke all access for a user across all their devices:
This removes:
- Their public key(s) from
.kanuka/public_keys/ - Their encrypted symmetric key(s) from
.kanuka/secrets/ - Their entries from the project configuration
Multiple devices confirmation
Section titled “Multiple devices confirmation”If the user has multiple devices registered, Kānuka will ask for confirmation:
- macbook-pro (created: Jan 15, 2024) - work-desktop (created: Jan 20, 2024)
This will revoke ALL devices for this user.Proceed? [y/N]:To skip confirmation (useful for automation):
Revoking a specific device
Section titled “Revoking a specific device”If a user’s device is compromised but they should retain access on other devices, revoke only that specific device:
This is useful when:
- A laptop is lost or stolen
- A team member gets a new computer
- You want to clean up old device registrations
Revoking by file path
Section titled “Revoking by file path”You can also revoke by directly specifying the .kanuka file path:
kanuka secrets revoke --file .kanuka/secrets/a1b2c3d4-5678-90ab-cdef-1234567890ab.kanukaThis removes both the encrypted symmetric key and the corresponding public key.
What happens after revocation
Section titled “What happens after revocation”When you revoke a user, Kānuka automatically:
- Removes their files - Public key and encrypted symmetric key are deleted
- Updates the config - Their entry is removed from
.kanuka/config.toml - Rotates the symmetric key - A new symmetric key is generated and encrypted for all remaining users
Key rotation
Section titled “Key rotation”The automatic key rotation ensures the revoked user cannot decrypt any secrets encrypted after the revocation, even if they had previously obtained the symmetric key.
Revocation examples
Section titled “Revocation examples”# Preview revocation without making changes
# Revoke all devices for a user
# Revoke a specific device
# Preview specific device revocation
# Revoke without confirmation (for CI/CD automation)
# Revoke by file pathkanuka secrets revoke --file .kanuka/secrets/abc123.kanukaUsing in CI/CD pipelines
Section titled “Using in CI/CD pipelines”In automated environments where your private key isn’t stored on disk, you can
pipe it directly from a secrets manager using the --private-key-stdin flag:
# From HashiCorp Vaultvault read -field=private_key secret/kanuka | kanuka secrets revoke --user [email protected] --yes --private-key-stdin
# From 1Password CLIop read "op://Vault/Kanuka/private_key" | kanuka secrets revoke --user [email protected] --yes --private-key-stdin
# From environment variableecho "$KANUKA_PRIVATE_KEY" | kanuka secrets revoke --user [email protected] --yes --private-key-stdinNote the --yes flag to skip confirmation prompts in automated environments.
After revoking
Section titled “After revoking”After revoking access:
- Commit the changes - The file deletions and config updates
- Push to remote - So the revocation takes effect for the team
- Consider rotating secrets - If the revocation was security-related
git add .kanuka/git pushNext steps
Section titled “Next steps”- Registration concepts - Understand the key exchange process
- Registration guide - Add new team members
- CLI reference - Full command documentation