The PQC keygen (service/cmd/keygen/) is currently a standalone main package, separate from the opentdf cobra CLI. This means it's not included in the platform Docker image, and the quickstart docker-compose has to spin up a golang:1.25-alpine container, do a sparse git checkout, and go run the keygen — which is slow and creates version-mismatch risk.
Proposal: Move the keygen logic into a cobra subcommand on the existing opentdf binary, alongside start, provision, and migrate. For example:
opentdf keygen --output /keys
Benefits:
- The keygen is always the same version as the platform binary — no format mismatches
- The quickstart
generate-pqc-keys service becomes a one-liner using the existing platform image (no Go toolchain, no git clone)
- Faster quickstart startup
The PQC keygen (
service/cmd/keygen/) is currently a standalonemainpackage, separate from theopentdfcobra CLI. This means it's not included in the platform Docker image, and the quickstart docker-compose has to spin up agolang:1.25-alpinecontainer, do a sparse git checkout, andgo runthe keygen — which is slow and creates version-mismatch risk.Proposal: Move the keygen logic into a cobra subcommand on the existing
opentdfbinary, alongsidestart,provision, andmigrate. For example:Benefits:
generate-pqc-keysservice becomes a one-liner using the existing platform image (no Go toolchain, no git clone)