Kleidia is a self-hosted YubiKey lifecycle management platform designed for European enterprises and government organizations. It provides centralized management of hardware security keys with full NIS2 and GDPR compliance.

How much does Kleidia cost?

Kleidia uses transparent flat-rate pricing at €19,000 per year plus applicable taxes. This includes unlimited users, annual support, and updates - no user-based licensing fees.

Is Kleidia NIS2 compliant?

Yes, Kleidia is designed for NIS2 Directive compliance with complete audit trails, hardware-based MFA requirements, and comprehensive logging for regulatory reporting.

Can Kleidia be deployed in air-gapped environments?

Yes, Kleidia supports air-gap deployment for high-security environments. The Kubernetes-native architecture enables deployment in isolated networks.

What technology stack does Kleidia use?

Kleidia is built with Go (backend), Nuxt/Vue.js 3 (frontend), PostgreSQL (database), OpenBao (secrets management), and Kubernetes for orchestration.

Kleidia - YubiKey & FIDO2 Management for AD / Entra

YubiKey & FIDO2 Management for AD / Entra Environments

Kleidia is a self-hosted YubiKey & FIDO2 management platform designed specifically for European enterprises and government organizations. Runs in your own infrastructure (on-prem or your cloud) with AD / Entra ID and OIDC integration.

Unlike cloud-based alternatives, Kleidia deploys entirely within your infrastructure, giving you complete control over your security data. No vendor lock-in, no data sharing with third parties, and full compliance with European data protection regulations.

Built For

European government agencies
Critical infrastructure & utilities
Regulated enterprises (finance, telco, healthcare)

Key Benefits

Runs in your own infrastructure - On-prem or your cloud, no SaaS dependency
FIDO2 & WebAuthn support - Modern passwordless authentication
AD / Entra / OIDC integration - Connects to your existing identity infrastructure
Flat annual pricing - €19,000/year, unlimited users
NIS2 ready - Helps meet compliance requirements
Air-Gap Deployable - Highly available Kubernetes architecture

Managing YubiKeys Shouldn't Require a Help Desk

Organizations managing hardware security keys face significant operational challenges that drain IT resources and frustrate users.

Kleidia standardises workflows for PIN resets, certificate issuance, lost keys and decommissioning, so your helpdesk isn't writing custom scripts.

Common YubiKey Management Challenges

Hundreds of support tickets per year - PIN resets alone generate massive IT overhead, overwhelming helpdesk teams and frustrating users who need immediate access
Manual certificate enrollment - Each device requires hours of manual certificate enrollment. Complex PIV operations create a fragile patchwork of scripting
Lost YubiKeys create IT bottlenecks - Every lost YubiKey becomes an IT emergency. Without self-service capabilities, your IT department becomes the bottleneck for business continuity
No audit trail for compliance - Manual processes provide no audit trail for regulatory compliance. Meeting NIS2, ISO27001 and other standards becomes impossible without comprehensive logging
Complex enterprise integration - Integrating YubiKeys with AD/Entra, certificate authorities, OIDC apps, and enterprise systems requires extensive custom development

Kleidia solves these challenges with automated self-service, centralized management, and complete audit trails.

Meeting Enterprise & Regulatory Demands

Focused on European public sector, critical infrastructure, and other NIS2-in-scope organizations.

Kleidia helps you meet NIS2 and ISO 27001 requirements around strong authentication, key management, and logging. Final compliance always depends on your overall security program and policies.

Compliance Features

NIS2 ready for critical infrastructure
GDPR compliant YubiKey management with data sovereignty
ISO 27001 compatible security controls
Complete audit trails for regulatory reporting
Hardware-based multi-factor authentication
Phishing-resistant FIDO2/WebAuthn support
Comprehensive logging for compliance audits
Data residency within your infrastructure

Government and Enterprise YubiKey Management

Trusted by government agencies and enterprises across Europe, Kleidia is the leading government YubiKey management solution. Our enterprise YubiKey solution eliminates the operational complexity of managing hardware security keys at scale.

Enterprise Features

End-User Self-Service

Users can safely reset PINs and manage certificates without opening tickets. Eliminate IT overhead and deployment delays.

Enterprise-Ready Security

Hardware-backed keys, tightly integrated with your existing PKI. OpenBao-backed certificate issuance, no plaintext secrets at rest, and a complete audit trail for every operation.

Modern Tech Stack

Built with Go, Vue.js 3, PostgreSQL, OpenBao, and Kubernetes for easy self-hosting, upgrades and observability.

Device Lifecycle Management

Auto-detection, PIN/PUK management, FIDO2 & WebAuthn, authentication certificates, code signing certificates - complete lifecycle coverage.

Scalability & Performance

Support thousands of YubiKeys with low-latency API and highly available architecture.

IT Operations Friendly

REST API, Auto TLS, Helm charts deployment, air-gap deployable, comprehensive documentation.

PIV Card Lifecycle Management

Complete PIV card lifecycle management from registration to certificate operations and secure deletion. Manage PIV certificates, PIN/PUK codes, and cryptographic operations with enterprise-grade security.

Automated device detection and registration
PIN and PUK management with self-service reset
PIV certificate enrollment and renewal
Authentication certificate management
Digital signing certificate provisioning
Integration with enterprise identity stores
Secure device decommissioning and revocation

Transparent, Fixed Pricing

€19,000/year

Simple, predictable YubiKey management under 20k euro annually. Our transparent flat-rate pricing model includes everything you need:

No user-based licensing fees - Unlimited users at one fixed price
Fixed annual cost - Predictable budget planning regardless of user count
Complete platform access - All features included, no tiers
Support during EU business hours - Included in the price
Simplified EU procurement - Fixed pricing eliminates complex negotiations
No hidden costs - No per-seat charges, no surprise fees

Professional services and implementation projects quoted separately. Managed appliance option available for customers who prefer a fully managed Kleidia deployment.

Why We Rejected User-Based Licensing

Our founders experienced the frustration of unpredictable user-based licensing costs. Kleidia was created specifically to offer simplified procurement YubiKey solutions with transparent, flat-rate pricing that respects enterprise budget planning.

Simplified Procurement Under EU Regulations

Fixed annual pricing means one line item in your tender instead of per-user estimates, change orders and 'true-ups'.

Simplified budget approval process
Faster procurement cycles
Clear total cost of ownership
No forced auto-renewal, no per-user audits

Licence terms designed to fit standard EU public-sector contracts.

Self-Hosted Alternative to PointSharp

Looking for a self-hosted alternative to PointSharp? Kleidia provides full data sovereignty and control with deployment in your own infrastructure. No vendor lock-in, no data sharing with third parties.

Deploy on your own infrastructure
Full data sovereignty and control
Air-gap deployment support for high-security environments
EU-based development team
Complete control over security policies
No cloud dependencies

Kubernetes YubiKey Management

Modern Kubernetes YubiKey management built with cloud-native architecture. Deploy with Helm charts on any Kubernetes cluster.

Kubernetes-native architecture
Helm chart deployment
Horizontal scaling support
High availability configuration
Automated SSL/TLS certificate management
Support for air-gapped environments
Container-based deployment

How It Fits Your Stack

Kleidia uses a simplified architecture with local agents. Connects to AD / Entra ID via OIDC. Uses OpenBao as an intermediate CA under your existing PKI. Manages YubiKeys and FIDO2 authenticators on user workstations.

User Workstation Components

Browser - HTTPS with JWT authentication
HTTP Agent - RSA-OAEP encryption for secure communication
Ykman (CLI) - YubiKey Manager for device operations
YubiKey - USB hardware security device

Backend Server Components

Nuxt (Vue.js) Frontend - Modern clean user interface
Go/Gin API - High-performance backend
PostgreSQL - Enterprise-grade database
OpenBao Vault - Secrets and certificate management

Security Architecture

End-to-end encryption between browser and server
RSA-OAEP with 4096-bit keys
Zero plaintext transmission
Session-bound security tokens
Complete audit logging

Data Sovereignty and EU Development

Complete control over your data and security with EU-based development. Kleidia provides the sovereignty European organizations require:

EU-based development team - Built in Europe for European requirements
Deploy in your own data centers - Full control over data location
Full GDPR compliance - Data protection by design
No data transmission to third parties - Your data stays yours
Meets EU digital sovereignty requirements - No foreign jurisdiction concerns
Simplified tender process - EU procurement regulations friendly

Made in EU 🇪🇺

YubiKey Management Software for All Scales

Whether you're managing 50 or 5,000 YubiKeys, our YubiKey management software scales with your needs. From small government agencies to large enterprise deployments, Kleidia delivers reliable hardware MFA management.

Scalability Features

Support for thousands of YubiKeys
Low-latency API
Highly available Kubernetes architecture
Horizontal scaling with Kubernetes
High availability deployment options