diff --git a/Knot.files b/Knot.files
index ee7f4e575a7e1b24fbabe24d85528a514de34b92..df7f8df43db7163a85f897bedef6ffee19e085c8 100644
--- a/Knot.files
+++ b/Knot.files
@@ -322,8 +322,6 @@ src/libknot/descriptor.c
 src/libknot/descriptor.h
 src/libknot/dname.c
 src/libknot/dname.h
-src/libknot/dnssec/key.c
-src/libknot/dnssec/key.h
 src/libknot/errcode.c
 src/libknot/errcode.h
 src/libknot/internal/array-sort.h
@@ -417,6 +415,8 @@ src/libknot/rrtype/tsig.c
 src/libknot/rrtype/tsig.h
 src/libknot/tsig-op.c
 src/libknot/tsig-op.h
+src/libknot/tsig.c
+src/libknot/tsig.h
 src/libknot/yparser/yparser.c
 src/libknot/yparser/yparser.h
 src/libknot/yparser/ypbody.c
@@ -439,6 +439,8 @@ src/utils/common/params.c
 src/utils/common/params.h
 src/utils/common/resolv.c
 src/utils/common/resolv.h
+src/utils/common/sign.c
+src/utils/common/sign.h
 src/utils/common/strtonum.h
 src/utils/common/token.c
 src/utils/common/token.h
@@ -512,6 +514,7 @@ tests/rrset.c
 tests/rrset_wire.c
 tests/server.c
 tests/test_conf.h
+tests/tsig_key.c
 tests/utils.c
 tests/wire.c
 tests/worker_pool.c
diff --git a/doc/man/kdig.1in b/doc/man/kdig.1in
index aa50803aaf0ae259b8be4c89f7d6ce3415bf1e2c..0f881c41fa5201cbcbdd4b7dd7ed235d9512ff1e 100644
--- a/doc/man/kdig.1in
+++ b/doc/man/kdig.1in
@@ -86,11 +86,9 @@ Enable debug messages.
 Print help and usage.
 .TP
 \fB\-k\fP \fIkeyfile\fP
-Use TSIG or SIG\-0 key stored in a file \fIkeyfile\fP to authenticate the request.
-Supported file format is the same as generated by ISC \fBdnssec\-keygen\fP\&.
-The key comprises of public (.key extension) and private part (.private
-extension). Either of these file names or a name without the extension can be
-specified as \fIkeyfile\fP parameter.
+Use TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file must contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
 .TP
 \fB\-p\fP \fIport\fP
 Set nameserver port number or service name to send a query to. The default
diff --git a/doc/man/knotc.8in b/doc/man/knotc.8in
index d87d44a5bf9850a55a8f639454fddebb9b5df087..c3e14a3a70f992c261e77d059c536a3f4a94d6f1 100644
--- a/doc/man/knotc.8in
+++ b/doc/man/knotc.8in
@@ -50,10 +50,12 @@ Remote UNIX socket/IP address (default is \fB@run_dir@/knot.sock\fP).
 Remote server port (only for IP).
 .TP
 \fB\-y\fP, \fB\-\-key\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
-Use key specified on the command line (default algorithm is hmac\-md5).
+Use TSIG key specified on the command line (default algorithm is hmac\-md5).
 .TP
 \fB\-k\fP, \fB\-\-keyfile\fP \fIfile\fP
-Use key file.
+Use TSIG key stored in a file \fIfile\fP to authenticate the request. The
+file must contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
 .TP
 \fB\-f\fP, \fB\-\-force\fP
 Force operation. Overrides some checks.
diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1in
index 7ee69786a09fa63780fe1628ab82a44eec2108d0..cad96b5e955a75252ca8de1bbf0299e1abc16151 100644
--- a/doc/man/knsupdate.1in
+++ b/doc/man/knsupdate.1in
@@ -52,11 +52,9 @@ Enable debug messages.
 Print help and usage.
 .TP
 \fB\-k\fP \fIkeyfile\fP
-Use TSIG or SIG\-0 key stored in a file \fIkeyfile\fP to authenticate the request.
-Supported file format is the same as generated by ISC \fBdnssec\-keygen\fP\&.
-The key comprises of public (.key extension) and private part (.private
-extension). Either of these file names or a name without the extension can be
-specified as \fIkeyfile\fP parameter.
+Use TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
 .TP
 \fB\-p\fP \fIport\fP
 Set the port to use for connections to the server (if not explicitly specified
diff --git a/src/utils/kdig/kdig_exec.c b/src/utils/kdig/kdig_exec.c
index 12ba04bdd3d9aa125f816f58f799cbb8179c32c4..749cc9d3a193ce57aa1505799124efce79649430 100644
--- a/src/utils/kdig/kdig_exec.c
+++ b/src/utils/kdig/kdig_exec.c
@@ -488,7 +488,7 @@ static int process_query_packet(const knot_pkt_t      *query,
                                 net_t                 *net,
                                 const query_t         *query_ctx,
                                 const bool            ignore_tc,
-				const sign_context_t  *sign_ctx,
+                                const sign_context_t  *sign_ctx,
                                 const style_t         *style)
 {
 	struct timeval	t_start, t_query, t_end;
diff --git a/src/utils/kdig/kdig_params.c b/src/utils/kdig/kdig_params.c
index 6a7182d9aae4d45c6c9a4e0bb4afa9da558f2dce..40bc150b06e36772a69afb35e71d53ff19782384 100644
--- a/src/utils/kdig/kdig_params.c
+++ b/src/utils/kdig/kdig_params.c
@@ -920,9 +920,11 @@ query_t* query_create(const char *owner, const query_t *conf)
 		query->dt_reader = conf->dt_reader;
 		query->dt_writer = conf->dt_writer;
 #endif // USE_DNSTAP
+
 		if (conf->tsig_key.name) {
-			int r = knot_tsig_key_copy(&query->tsig_key, &conf->tsig_key);
-			if (r != KNOT_EOK) {
+			int ret = knot_tsig_key_copy(&query->tsig_key,
+			                             &conf->tsig_key);
+			if (ret != KNOT_EOK) {
 				query_free(query);
 				return NULL;
 			}