> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turnkey.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

export const SolutionCard = ({title, description, icon, href}) => {
  return <a href={href} className="not-prose font-normal group ring-0 ring-transparent cursor-pointer block rounded-lg border border-zinc-950/10 dark:border-white/10 bg-white dark:bg-transparent p-5 no-underline hover:border-primary/40 transition-colors">
      <div style={{
    display: 'flex',
    alignItems: 'flex-start',
    gap: '16px'
  }}>
        <img src={`/images/solutions/light/${icon}.svg`} className="tk-card-icon-img block dark:hidden" alt="" />
        <img src={`/images/solutions/dark/${icon}.svg`} className="tk-card-icon-img hidden dark:block" alt="" />
        <div>
          <div className="font-semibold text-sm text-zinc-950 dark:text-white group-hover:text-primary transition-colors">
            {title}
          </div>
          <div className="text-sm text-zinc-500 dark:text-zinc-400 mt-1">
            {description}
          </div>
        </div>
      </div>
    </a>;
};

## What is key management?

Turnkey provides infrastructure to store, recover, and operate on cryptographic keys beyond just wallet use cases. Instead of managing raw key material in your own infrastructure, your application delegates key storage to Turnkey's secure enclaves and controls access through programmable policies. **You define who can use a key and under what conditions; Turnkey ensures the key material is never exposed.**

## Why Turnkey for key management?

Protecting cryptographic keys means solving for secure storage, access control, disaster recovery, and auditability. Turnkey's infrastructure handles this so your keys remain protected throughout their lifecycle.

With Turnkey, you can:

* Store and [import](/security/enclave-secure-channels) cryptographic keys in hardware-backed [secure enclaves](/security/secure-enclaves) where key material never exists in plaintext outside the enclave boundary
* Gate key access and export through a programmable [policy engine](/features/policies/overview), including [quorum approval](/features/users/root-quorum) for sensitive operations
* Authenticate key access through multiple methods including API keys, [passkeys](/features/authentication/passkeys/introduction), [social logins](/features/authentication/social-logins), [email](/features/authentication/email), and [SMS OTP](/features/authentication/sms)
* Maintain a cryptographic audit trail where every key operation is stamped and verifiable
* Distribute trust between your infrastructure and Turnkey so no single party can access plaintext material

## How it works

Your backend authenticates to Turnkey via API key. The [policy engine](/features/policies/overview) evaluates every request inside the secure enclave before any key operation executes. Keys are stored and operated on entirely within the enclave. Only derived outputs (public keys, encrypted export bundles, and operation results) are returned.

### Access control model

Key management is configured through an [organization](/features/organizations) with users, tags, and policies to control access:

* **Users** representing human operators and automated services, each with their own credentials (API keys, passkeys)
* **Tags** grouping users by role (e.g. `recovery-admin`, `backup-operator`)
* **Policies** controlling who can access keys and under what conditions: by key ID, operation type, approval threshold, or any combination

Turnkey is deny-by-default. If no policy explicitly allows an action, it is rejected. See [Policies](/features/policies/overview) and [Policy Language](/features/policies/language).

### Security model

* **Keys never leave the enclave.** Cryptographic keys live in [Trusted Execution Environments (TEEs)](/security/secure-enclaves). All key operations happen inside verifiable infrastructure; only derived outputs are returned.
* **End-to-end encryption for import and export.** Key material in transit is encrypted directly to the enclave using [HPKE](/security/enclave-secure-channels). Plaintext never exists outside the enclave boundary.
* **Policy-gated access.** Every key operation is evaluated against policies in the enclave. Users and services can only perform actions they have been explicitly authorized for.
* **Trusted vs. untrusted separation.** A breach of your backend does not expose keys. The enclave enforces policies independently of your infrastructure.

For a deeper look, see [Security](/security/our-approach) and [Secure Enclaves](/security/secure-enclaves).

## Building with Turnkey

Key management integrations are backend-driven. Use Turnkey's server SDKs to store keys, manage policies, and handle import and export operations programmatically from your infrastructure.

Server SDKs are available for [TypeScript](/solutions/company-wallets/integration-guide/javascript-server), [Go](/solutions/company-wallets/integration-guide/golang), [Ruby](/solutions/company-wallets/integration-guide/ruby), [Python](/solutions/company-wallets/integration-guide/python), and [Rust](/solutions/company-wallets/integration-guide/rust). For full control, you can call the [Turnkey API](/api-reference/overview/intro) directly.

The [Turnkey Dashboard](https://app.turnkey.com) provides an interface for managing organizations, users, and policies.

## Use cases

Key management serves different needs depending on how your application uses cryptographic keys. Choose the pattern that matches your requirements.

<div style={{display: 'grid', gridTemplateColumns: 'repeat(2, 1fr)', gap: '12px'}}>
  <SolutionCard title="Encryption Key Storage" icon="encryption-key-storage" href="/solutions/key-management/encryption-key-storage" description="Store encryption keys in Turnkey's secure enclave and separate risk between your infrastructure and Turnkey. Build user-controlled recovery, distributed trust, and policy-gated decryption." />

  <SolutionCard title="Enterprise Disaster Recovery" icon="enterprise-disaster-recovery" href="/solutions/key-management/enterprise-disaster-recovery" description="Import and recover wallets with end-to-end encryption, quorum-controlled access, and a cryptographic audit trail for treasury recovery, provider migration, and failover." />
</div>

## Ready to build?

* [Policy Quickstart](/features/policies/quickstart) -- define access controls and approval requirements
* [SDK Reference](/sdks/introduction) -- server SDKs for TypeScript, Go, Ruby, Python, and Rust