Key Ceremony Planner
Choose a safe M-of-N quorum and generate a printable ceremony script (runbook) for your PKI key ceremony
M-of-N Quorum Calculator
The key is split so that any M of N custodians together can use it, while fewer than M cannot. Pick values and see what they mean for availability and security.
Recommendation: 3-of-5 is a widely used, healthy configuration: no single person can use the key, and up to 2 custodians can be unavailable without blocking operations.
Healthy configuration
3-of-5 is one of the most common real-world setups: it enforces dual control and still tolerates 2 unavailable custodians.
Ceremony Script Generator
Fill in the details and generate a basic, printable ceremony script in Markdown — with step tables, an exception log, and a sign-off block ready for handwritten times and initials.
What is a Key Ceremony?
A key ceremony is a formal, scripted event in which a high-value cryptographic key — typically the private key of a root CA — is generated, activated, backed up, or destroyed. Because everything a PKI signs ultimately chains back to that one key, it is never handled casually: every action is written down in advance, performed in front of witnesses, recorded, and signed off. The ceremony itself becomes evidence that the key was created correctly and that no single person ever had the chance to copy or misuse it.
Trust in a root key does not come from secrecy alone — it comes from transparency about how the key was handled. A well-run ceremony proves three things: the key was generated inside approved hardware, control over it was immediately split among multiple people, and every step in between is documented and auditable.
Why hold a formal ceremony?
- Trust through transparency — witnesses, recordings, and a signed script let anyone verify afterwards that the key was handled correctly.
- No single point of compromise — split control ensures no individual can ever use, copy, or export the key alone.
- Auditability — every step carries a time and initials, and deviations go into an exception log, producing a complete paper trail.
- Repeatability — a script removes improvisation, so the ceremony can be rehearsed in advance and reproduced years later.
When to hold one
- Root CA key generation — creating a new root key pair that a whole certificate hierarchy will depend on.
- HSM initialization — setting up a new hardware security module and issuing custodian credentials for the first time.
- Key rotation or migration — replacing an aging key, moving a key to new hardware, or re-issuing custodian shares.
- Key destruction — provably retiring a key at the end of its life, witnessed and recorded like any other key operation.
How M-of-N split control works in practice
Control over the key is divided into N shares — usually smartcards or tokens issued by the HSM — and each share is handed to a different custodian. The HSM will only activate the key when any M of those N custodians present their shares, one at a time, during the same session. Fewer than M shares reveal nothing about the key.
Security floor: M
M is the number of people who would have to conspire to misuse the key. M = 1 means no dual control at all — always require at least 2.
Availability buffer: N − M
N − M custodians can lose their share, leave the company, or simply be on vacation, and a valid quorum can still be formed.
Balanced choices
2-of-3 and 3-of-5 are the classic sweet spots: strong enough that no one acts alone, resilient enough that a lost card is an inconvenience, not a disaster.