Managing keys
The Keys page in Oxrion Cloud is where you manage the keys your protected files use. There are three kinds, each for a different job. Understanding them makes the rest of Oxrion click into place.
License keys
Section titled “License keys”A license key binds a protected file to your end-customer’s license. When you encode a file as Licensed, you choose a license key for it; later you use the same key in the License Manager to issue a .lic for a specific domain and expiry.
- Generated for you as a secure random value, or enter your own.
- You give each key a name (e.g. the customer or product it’s for) so you can tell them apart.
You’ll typically create one license key per customer or product line. Deleting a license key doesn’t break files already encrypted with it — but you won’t be able to issue new licenses for that key.
External keys
Section titled “External keys”An external key is what makes Private access work. When you encode a file as Private, it requires the matching external key to be present on the server at runtime — provided through an environment variable or php.ini.
- Generated for you, or enter your own.
- Named, so you can manage several across different deployments.
Without the external key on the server, a private file will not run — even with the Loader installed. This is what lets you restrict your code to servers you authorize. See External keys for setting one up on a server.
Recovery keypairs (public & private keys)
Section titled “Recovery keypairs (public & private keys)”A recovery keypair is what lets you restore a protected file back to its original source later. This is a true keypair — a public key and a private key — and how they’re handled is central to Oxrion’s design.
When you create a keypair, Oxrion stores only the public key. The private key is shown to you once, downloaded immediately, and never kept by Oxrion.
You can also bring your own key: paste a public key you already hold and keep its private key entirely on your side. Either way, only the public key lives in Oxrion; the private key stays with you.
How a keypair is used
Section titled “How a keypair is used”- Create (or add) a recovery keypair on the Keys page.
- When encoding, turn on Recovery and pick that keypair’s public key.
- Later, restore the file to source in Recovery by providing the matching private key.
Because the private key is yours alone, only you can recover your files. This is a deliberate trade-off: maximum safety against key leaks, in exchange for you being responsible for keeping the private key safe.
Why three separate keys?
Section titled “Why three separate keys?”Each key controls a different thing, and keeping them separate keeps each job clean:
| Key | Purpose | Stored by Oxrion? |
|---|---|---|
| License key | Bind a file to a customer’s license (domain + expiry) | Yes |
| External key | Required on the server to run a private file | Yes |
| Recovery keypair | Restore a protected file back to source | Public key only — never the private key |