What is Kleidia?
Kleidia is a self-hosted YubiKey & FIDO2 management platform designed specifically for European enterprises and government organizations. It runs in your own infrastructure (on-prem or your cloud) and integrates with AD / Entra ID and OIDC apps.
The name "Kleidia" comes from the Greek word for "keys" (κλειδιά), reflecting our focus on managing hardware security keys securely and efficiently.
Built For
- European government agencies
- Critical infrastructure & utilities
- Regulated enterprises (finance, telco, healthcare)
Core Capabilities
- End-User Self-Service - Users can safely reset PINs and manage certificates without opening tickets
- FIDO2 & WebAuthn - Full support for modern passwordless authentication
- Certificate Management - Automated PIV certificate enrollment and renewal
- AD / Entra / OIDC Integration - Connects to your existing identity infrastructure
- Complete Audit Trail - Every device operation is logged for compliance
- Device Lifecycle - From registration to decommissioning
Why We Built Kleidia
Kleidia was founded by security professionals who experienced firsthand the frustration of managing YubiKeys at enterprise scale. The existing solutions shared common problems:
- User-based licensing - Costs that grow unpredictably with your organization
- Cloud dependencies - Your security data stored on third-party infrastructure
- Complex procurement - Difficult to budget and procure under EU regulations
- IT bottlenecks - Every PIN reset or lost key required helpdesk intervention
We built Kleidia to solve these problems with a fundamentally different approach: transparent flat-rate pricing, complete self-hosting, and end-user self-service.
Pricing Philosophy
Transparent, Fixed Pricing
No user-based licensing. Unlimited users. Support during EU business hours included.
We rejected the industry standard of per-user licensing because:
- It makes costs unpredictable as organizations grow
- It complicates EU procurement and budgeting
- It often leads to underdeployment of security tools
- It creates perverse incentives against security adoption
With Kleidia's flat-rate model, you pay one price regardless of whether you have 100 or 10,000 users. Fixed annual pricing means one line item in your tender instead of per-user estimates, change orders and 'true-ups'.
Professional services and implementation projects quoted separately. Managed appliance option available for customers who prefer a fully managed Kleidia deployment.
Licence terms designed to fit standard EU public-sector contracts (no forced auto-renewal, no per-user audits).
Technical Architecture
Kleidia is built with a modern, enterprise-grade technology stack:
Backend
Go with Gin framework for high-performance API handling
Frontend
Nuxt (Vue.js 3) with modern, responsive interface
Database
PostgreSQL for enterprise-grade data storage
Secrets Management
OpenBao Vault for secure certificate and key storage
Deployment
Kubernetes-native with Helm charts
Security
RSA-OAEP encryption with 4096-bit keys
How It Fits Your Stack
- Connects to AD / Entra ID via OIDC
- Uses OpenBao as intermediate CA under your existing PKI
- Manages YubiKeys & FIDO2 authenticators on workstations
Architecture Highlights
- End-to-end encryption between browser and server
- Local agents with no backend access requirements
- Air-gap deployable for high-security environments
- Horizontal scaling to support thousands of devices
- Highly available Kubernetes architecture
Compliance & Certifications
Focused on European public sector, critical infrastructure, and other NIS2-in-scope organizations.
Kleidia helps you meet NIS2 and ISO 27001 requirements around strong authentication, key management, and logging. Final compliance always depends on your overall security program and policies.
NIS2 Ready GDPR ISO 27001 FIDO2/WebAuthn
- NIS2 Ready - Helps meet NIS2 Directive requirements including hardware MFA and audit trails
- GDPR - Data sovereignty with self-hosted deployment, no data leaves your infrastructure
- ISO 27001 - Compatible with ISO 27001 security controls
- Complete Audit Logging - Every operation logged for compliance audits
Data Sovereignty
Unlike cloud-based alternatives, Kleidia deploys entirely within your infrastructure:
- EU-based development - Built by a European team for European requirements
- Self-hosted - Deploy on your own servers or private cloud
- No external dependencies - Works in air-gapped environments
- Your data stays yours - No data sharing with third parties
- Full control - You control security policies and data retention
Target Users
Kleidia is designed for organizations that:
- Manage YubiKeys or other hardware security keys at scale
- Require NIS2, GDPR, or ISO 27001 compliance
- Need complete data sovereignty (government, critical infrastructure)
- Want predictable, transparent pricing
- Prefer self-hosted solutions over cloud dependencies
- Need to simplify procurement under EU regulations
Typical Deployments
- Government agencies and public sector organizations
- Critical infrastructure operators (NIS2 scope)
- Financial institutions
- Healthcare organizations
- Enterprise IT departments
- Defense contractors
Getting Started
Ready to simplify your YubiKey management?
Book a Demo Read Documentation
Resources
- Kleidia Website - Main product website
- Documentation - Technical documentation and guides
- Pricing - Detailed pricing information
- Features - Complete feature overview
Frequently Asked Questions
What is Kleidia?
Kleidia is a self-hosted YubiKey & FIDO2 management platform for AD / Entra environments that enables organizations to manage hardware security keys from registration to decommissioning, with end-user self-service and complete audit trails.
How much does Kleidia cost?
Kleidia uses transparent flat-rate pricing at €19,000 per year. This includes unlimited users and support during EU business hours. Professional services quoted separately. There are no per-user or per-device fees.
Is Kleidia NIS2 compliant?
Kleidia helps you meet NIS2 and ISO 27001 requirements around strong authentication, key management, and logging. Final compliance always depends on your overall security program and policies.
Can Kleidia be deployed in air-gapped environments?
Yes. Kleidia's Kubernetes-native architecture supports air-gap deployment for high-security environments with no external network dependencies.
What YubiKey models does Kleidia support?
Kleidia supports all YubiKey models with PIV (Personal Identity Verification) capability and FIDO2, including YubiKey 5 series devices.
Where is Kleidia developed?
Kleidia is developed in the European Union by a European team, ensuring alignment with EU data protection requirements and digital sovereignty principles.
Is there a managed option?
Yes. Managed appliance option available for customers who prefer a fully managed Kleidia deployment.