Implementation Guide 
8 steps to success


Great that you picked Topicus KeyHub to securely manage access to containers, services and credentials. KeyHub aims for ease of use and on easy implementation. For a security solution to work best, a wide adoption in your organisation is crucial.

But what steps do you need to take to successfully implement KeyHub in your organisation? Which privileged accounts to tackle first? How to make it easy for your colleagues to get started? This guide gives you the 8 steps – based on our best practices – to implement KeyHub.

1. Install KeyHub

The steps to install KeyHub are described in our installation manual.

Be sure to save the Vault recovery key on two USB sticks and store them both in a safe place. Although this is pointed out in the manual, we feel like we can’t stress this enough.

2. Pick a first team

As with any change in an organisation, it is good to have ambassadors of this change. Keep that in mind when picking the first team to start using KeyHub. Secure the privileged accounts that this first team frequently uses and start from there. 

To get the team members going, supply them with the Quickstart Guide

3. Create your first groups

Access is organised in groups. A KeyHub group represents for instance a team, a project, or a department. You can make this as granular as you need.

Create the first group(s) for your first team.

KeyHub implements the concept of decentralised authorisation. Decentralised authorisation means that the group’s managers grant access to the other group members.

Give administrative rights to the group’s managers and let them authorise access to the rest of the team.

4. Rolling out KeyHub in the organisation

There are two ways to roll out KeyHub in the organisation. A phased approach or a big bang. What’s best for your organisation depends on the size of your organisation and the number of critical systems that you’re using. Most often, large organisations use a phased approach (a few teams at a time).

Decide on your roll out strategy and construct a timeline.

Thanks to the ease of use, the adoption of KeyHub spreads organically, especially within a department. Since KeyHub can easily work alongside existing systems the roll out can happen as quickly or as gradually as you’d like.

Make sure that starting to use KeyHub offers a clear benefit to your colleagues. For instance: configure your SSO applications to use KeyHub as its identity provider and add the applications to KeyHub’s Launchpad. This makes it easy for your colleagues to find and access those applications.

Post the Quickstart guide and How-to videos of KeyHub on your intranet. Not only will this answer most ‘newby’ questions, it also helps your colleagues to understand the benefits of using KeyHub to store and share credentials in their team. Posting the manual isn’t necessary since it’s already accessible from KeyHub’s menu, though you might want to post a direct link for ease of access.

5. Make all servers accessible via KeyHub

You probably created an inventory of all services before you started and prioritised based on criticality and sensitivity.
 If you haven’t, do it now!

Migrate all services to be managed by KeyHub in order. In many cases, it’s straightforward. If you need help, don’t hesitate to contact us!

6. Train your auditors and security managers

Group’s managers are in charge of managing access rights and are notified to check these access rights on a regular basis. KeyHub comes with an auditor dashboard to monitor this review process.
 Train auditors and security managers by showing the auditor dashboard and the audit log that contains all security events.

7. Clean up!

Now that all access is managed by KeyHub, it’s time to clean all ‘old ways’ of storing credentials.
 Get rid of everything that was used before to store and share credentials including excel sheets, google docs, intranet pages, sticky notes, passwords on whiteboards, passwords written on the bottom of desks, passwords written down in notebooks, etc.

To speed things up: change all passwords now that all access is managed by KeyHub.

 Don’t forget to delete all accounts that were created on servers in the past. Take special notice of local accounts on servers. This is a great time to destroy them. Thanks to KeyHub’s ease of use makes it easier to gain access through KeyHub than to get to a local account.

8. Enjoy

Now that gaining and sharing access is easy and secure, use KeyHub to its full potential.

 Integrate KeyHub in your CI/CD pipelines with the RESTful API or CLI.
 Use webhooks to push important events to Slack or another team messaging application.
 Distribute your internal CA certificate to all employees at once by read-only sharing the vault record.


Congratulations! You’ve successfully secured your infrastructure and made life easier for your colleagues. Want to share your KeyHub story? Drop us a line!