Identity Management
Remi uses Ed25519 keypairs for authentication. Each device (server or client) has an identity that proves who it is during connection.
remi keygen
Generate a new Ed25519 identity keypair.
remi keygen
By default, the private key is stored unencrypted in ~/.remi/identity.json for zero-friction startup. To encrypt the private key with a passphrase, use --passphrase:
remi keygen --passphrase
You will be prompted to enter a passphrase (minimum 8 characters). You can also provide the passphrase via the REMI_PASSPHRASE environment variable for non-interactive contexts.
Generating Ed25519 keypair...
Identity generated successfully.
Fingerprint: a1b2c3d4e5f6...
Encrypted: no
Stored at: ~/.remi/identity.json
Options
| Option | Description |
|---|---|
--passphrase | Encrypt the private key with a passphrase |
--force | Overwrite an existing identity |
--decrypt | Remove passphrase from an existing encrypted identity |
--encrypt | Add passphrase to an existing unencrypted identity |
Managing Passphrase
You can add or remove the passphrase on an existing identity without regenerating the keypair. The fingerprint stays the same, so authorized clients do not need to re-authorize.
Remove passphrase (encrypted to unencrypted):
remi keygen --decrypt
You will be prompted for the current passphrase (or set REMI_PASSPHRASE).
Add passphrase (unencrypted to encrypted):
remi keygen --encrypt
You will be prompted for a new passphrase (minimum 8 characters).
Overwriting an Existing Identity
If an identity already exists, keygen refuses to overwrite it. Use --force to replace:
remi keygen --force
Replacing your identity means all clients that trusted your old fingerprint will see a fingerprint mismatch on their next connection. They will need to re-verify and re-trust your new identity.
remi export-key
Export your identity for sharing across devices.
# Export full identity (encrypted private key + public key)
remi export-key
# Export only the public key (safe to share)
remi export-key --public-only
Output is JSON printed to stdout. Redirect to a file:
remi export-key > my-identity.json
remi export-key --public-only > my-public-key.json
The full export includes your encrypted private key, so it can be imported on another machine. The --public-only export contains only your public key and fingerprint, suitable for giving to others to authorize you.
Options
| Option | Description |
|---|---|
--public-only | Export only the public key (no private key) |
remi import-key
Import an identity from a file or stdin.
# From a file
remi import-key identity.json
# From stdin
cat identity.json | remi import-key
If an identity already exists, import refuses to overwrite it. Use --force to replace:
remi import-key --force identity.json
Options
| Option | Description |
|---|---|
--force | Overwrite existing identity |
Identity Files
| File | Contents |
|---|---|
~/.remi/identity.json | Ed25519 private key (plaintext or encrypted) and public key |
If the identity was created with --passphrase, the passphrase is required to unlock it. Set the REMI_PASSPHRASE environment variable for non-interactive use (CI, remote scripts). To remove the passphrase without changing your keypair, use remi keygen --decrypt.