MCP server and privacy-focused web client for Keylime remote attestation.
- Running Keylime Verifier and Registrar
- Keylime agents to monitor
- Network access to Keylime API endpoints
- MCP client (Claude Code, Claude Desktop, Cline, etc.)
Build the server:
make build-serverClaude Code:
claude mcp add keylime --scope user /full/path/to/keylime-mcp/bin/serverClaude Desktop and other config-file based MCP clients (~/.config/Claude/claude_desktop_config.json):
{
"mcpServers": {
"keylime": {
"command": "/full/path/to/keylime-mcp/bin/server",
"env": {
"KEYLIME_CERT_DIR": "/full/path/to/keylime/certs/dir"
}
}
}
}The env block is optional — the server defaults to /var/lib/keylime/cv_ca. Certs need read permissions (run make setup-certs).
make runAccess at http://localhost:3000
Copy .env.example to .env and adjust:
| Variable | Default | Description |
|---|---|---|
KEYLIME_VERIFIER_URL |
https://localhost:8881 |
Verifier API endpoint |
KEYLIME_REGISTRAR_URL |
https://localhost:8891 |
Registrar API endpoint |
KEYLIME_API_VERSION |
v2.5 |
Keylime REST API version |
KEYLIME_CERT_DIR |
/var/lib/keylime/cv_ca |
mTLS certificate directory |
KEYLIME_TLS_ENABLED |
true |
Enable mTLS for Keylime communication |
KEYLIME_TLS_SERVER_NAME |
localhost |
Expected server name in Keylime certificate SAN |
ANTHROPIC_API_KEY |
-- | Required for Claude provider |
OLLAMA_URL |
http://localhost:11434 |
Ollama API endpoint (for local LLM) |
OLLAMA_MODEL |
-- | Ollama model name (e.g., qwen2.5) |
MASKING_ENABLED |
true |
Mask sensitive data before sending to LLM |
PORT |
3000 |
Web UI port |
Control over the project is managed by a Makefile. Since this project works as a local controller, the Makefile handles these tasks perfectly and allows the user to manage the whole system with the following commands:
| Command | Description |
|---|---|
make install |
Should be run on first setup. Runs setup-certs, check-deps, creates .env from .env.example, and builds everything |
make build-server |
Compiles only the MCP server binary |
make build |
Compiles the whole project (client and server) |
make run |
Compiles and runs the whole project |
make start |
Runs the project without compiling (uses pre-built binaries) |
make setup-certs |
Grants read access to Keylime certificates and persists across reboots via a systemd service |
make setup-certs-session |
Same but only for the current session (does not survive reboot) |
make check-deps |
Checks all dependencies for running the project |
make clean |
Removes compiled binaries and the systemd service created by setup-certs |
make test |
Runs unit tests |
make test-race |
Runs unit tests with the -race flag (detects data races) |
make test-e2e |
Submits end-to-end tests to Testing Farm. Requires Red Hat VPN access |
make test # run unit tests
make test-race # run with race detectorE2E tests run on Testing Farm against a real Keylime deployment with emulated TPM. Triggered automatically on PRs via Packit.
make test-e2e # requires Testing Farm API token + Red Hat VPNTMT plans in e2e/plans/: keylime-mcp-server, keylime-mcp-client, keylime-mcp-main.
Contributions welcome.
Apache-2.0