Document dendrite server key format (#1520)

Co-authored-by: Kegsay <kegan@matrix.org>

2 files changed, 33 insertions, 0 deletions

diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index f804193c..1cecd047 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -129,6 +129,10 @@ for federation and the server signing key:
 ./bin/generate-keys --private-key matrix_key.pem --tls-cert server.crt --tls-key server.key
 ```
 
+If you have server keys from an older synapse instance, 
+[convert them](serverkeyformat.md#converting-synapse-keys) to Dendrite's PEM 
+format and configure them as `old_private_keys` in your config.
+
 ### Configuration file
 
 Create config file, based on `dendrite-config.yaml`. Call it `dendrite.yaml`. Things that will need editing include *at least*:
diff --git a/docs/serverkeyformat.md b/docs/serverkeyformat.md
new file mode 100644
index 00000000..feda9345
--- /dev/null
+++ b/docs/serverkeyformat.md
@@ -0,0 +1,29 @@
+# Server Key Format
+
+Dendrite stores the server signing key in the PEM format with the following structure.
+
+```
+-----BEGIN MATRIX PRIVATE KEY-----
+Key-ID: ed25519:<Key Handle>
+
+<Base64 Encoded Key Data>
+-----END MATRIX PRIVATE KEY-----
+```
+
+## Converting Synapse Keys
+
+If you have signing keys from a previous synapse server, you should ideally configure them as `old_private_keys` in your Dendrite config file. Synapse stores signing keys in the following format.
+
+```
+ed25519 <Key Handle> <Base64 Encoded Key Data>
+```
+
+To convert this key to Dendrite's PEM format, use the following template. **It is important to include the equals sign, as the key data needs to be padded to 32 bytes.**
+
+```
+-----BEGIN MATRIX PRIVATE KEY-----
+Key-ID: ed25519:<Key Handle>
+
+<Base64 Encoded Key Data>=
+-----END MATRIX PRIVATE KEY-----
+```
\ No newline at end of file