diff --git a/data/types.go b/data/types.go
index f94c4f551..4fd4fda8e 100644
--- a/data/types.go
+++ b/data/types.go
@@ -4,12 +4,16 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"sync"
 	"time"
 
-	"github.com/tent/canonical-json-go"
+	cjson "github.com/tent/canonical-json-go"
 )
 
-const KeyIDLength = sha256.Size * 2
+const (
+	KeyIDLength    = sha256.Size * 2
+	KeyTypeEd25519 = "ed25519"
+)
 
 type Signed struct {
 	Signed     json.RawMessage `json:"signed"`
@@ -25,21 +29,22 @@ type Signature struct {
 type Key struct {
 	Type  string   `json:"keytype"`
 	Value KeyValue `json:"keyval"`
+
+	id     string
+	idOnce sync.Once
 }
 
 func (k *Key) ID() string {
-	// create a copy so the private key is not included
-	data, _ := cjson.Marshal(&Key{
-		Type:  k.Type,
-		Value: KeyValue{Public: k.Value.Public},
+	k.idOnce.Do(func() {
+		data, _ := cjson.Marshal(k)
+		digest := sha256.Sum256(data)
+		k.id = hex.EncodeToString(digest[:])
 	})
-	digest := sha256.Sum256(data)
-	return hex.EncodeToString(digest[:])
+	return k.id
 }
 
 type KeyValue struct {
-	Public  HexBytes `json:"public"`
-	Private HexBytes `json:"private,omitempty"`
+	Public HexBytes `json:"public"`
 }
 
 func DefaultExpires(role string) time.Time {
diff --git a/keys/db.go b/keys/db.go
index 13964dd08..09b16f398 100644
--- a/keys/db.go
+++ b/keys/db.go
@@ -1,7 +1,7 @@
+// Package keys implements an in-memory public key database for TUF.
 package keys
 
 import (
-	"crypto/rand"
 	"errors"
 
 	"github.com/flynn/go-tuf/data"
@@ -18,42 +18,19 @@ var (
 	ErrInvalidThreshold = errors.New("tuf: invalid role threshold")
 )
 
-func NewKey() (*Key, error) {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-	k := &Key{
-		Public:  *pub,
-		Private: priv,
-	}
-	k.ID = k.Serialize().ID()
-	return k, nil
-}
-
 type Key struct {
-	ID      string
-	Public  [ed25519.PublicKeySize]byte
-	Private *[ed25519.PrivateKeySize]byte
+	ID     string
+	Type   string
+	Public []byte
 }
 
 func (k *Key) Serialize() *data.Key {
 	return &data.Key{
-		Type:  "ed25519",
+		Type:  k.Type,
 		Value: data.KeyValue{Public: k.Public[:]},
 	}
 }
 
-func (k *Key) SerializePrivate() *data.Key {
-	return &data.Key{
-		Type: "ed25519",
-		Value: data.KeyValue{
-			Public:  k.Public[:],
-			Private: k.Private[:],
-		},
-	}
-}
-
 type Role struct {
 	KeyIDs    map[string]struct{}
 	Threshold int
@@ -77,8 +54,8 @@ func NewDB() *DB {
 }
 
 func (db *DB) AddKey(id string, k *data.Key) error {
-	if k.Type != "ed25519" {
-		return ErrWrongType
+	if k.Type != data.KeyTypeEd25519 {
+		return nil
 	}
 	if id != k.ID() {
 		return ErrWrongID
@@ -87,10 +64,12 @@ func (db *DB) AddKey(id string, k *data.Key) error {
 		return ErrInvalidKey
 	}
 
-	var key Key
-	copy(key.Public[:], k.Value.Public)
-	key.ID = id
-	db.keys[id] = &key
+	db.keys[id] = &Key{
+		ID:     k.ID(),
+		Type:   k.Type,
+		Public: k.Value.Public,
+	}
+
 	return nil
 }
 
diff --git a/local_store.go b/local_store.go
index c151ef3dc..8b50095ef 100644
--- a/local_store.go
+++ b/local_store.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/flynn/go-tuf/data"
 	"github.com/flynn/go-tuf/encrypted"
+	"github.com/flynn/go-tuf/signed"
 	"github.com/flynn/go-tuf/util"
 )
 
@@ -19,16 +20,16 @@ func MemoryStore(meta map[string]json.RawMessage, files map[string][]byte) Local
 		meta = make(map[string]json.RawMessage)
 	}
 	return &memoryStore{
-		meta:  meta,
-		files: files,
-		keys:  make(map[string][]*data.Key),
+		meta:    meta,
+		files:   files,
+		signers: make(map[string][]signed.Signer),
 	}
 }
 
 type memoryStore struct {
-	meta  map[string]json.RawMessage
-	files map[string][]byte
-	keys  map[string][]*data.Key
+	meta    map[string]json.RawMessage
+	files   map[string][]byte
+	signers map[string][]signed.Signer
 }
 
 func (m *memoryStore) GetMeta() (map[string]json.RawMessage, error) {
@@ -66,15 +67,15 @@ func (m *memoryStore) Commit(map[string]json.RawMessage, bool, map[string]data.H
 	return nil
 }
 
-func (m *memoryStore) GetKeys(role string) ([]*data.Key, error) {
-	return m.keys[role], nil
+func (m *memoryStore) GetSigningKeys(role string) ([]signed.Signer, error) {
+	return m.signers[role], nil
 }
 
-func (m *memoryStore) SaveKey(role string, key *data.Key) error {
-	if _, ok := m.keys[role]; !ok {
-		m.keys[role] = make([]*data.Key, 0)
+func (m *memoryStore) SavePrivateKey(role string, key *signed.PrivateKey) error {
+	if _, ok := m.signers[role]; !ok {
+		m.signers[role] = make([]signed.Signer, 0)
 	}
-	m.keys[role] = append(m.keys[role], key)
+	m.signers[role] = append(m.signers[role], key.Signer())
 	return nil
 }
 
@@ -91,7 +92,7 @@ func FileSystemStore(dir string, p util.PassphraseFunc) LocalStore {
 	return &fileSystemStore{
 		dir:            dir,
 		passphraseFunc: p,
-		keys:           make(map[string][]*data.Key),
+		signers:        make(map[string][]signed.Signer),
 	}
 }
 
@@ -99,8 +100,8 @@ type fileSystemStore struct {
 	dir            string
 	passphraseFunc util.PassphraseFunc
 
-	// keys is a cache of persisted keys to avoid decrypting multiple times
-	keys map[string][]*data.Key
+	// signers is a cache of persisted keys to avoid decrypting multiple times
+	signers map[string][]signed.Signer
 }
 
 func (f *fileSystemStore) repoDir() string {
@@ -297,8 +298,8 @@ func (f *fileSystemStore) Commit(meta map[string]json.RawMessage, consistentSnap
 	return f.Clean()
 }
 
-func (f *fileSystemStore) GetKeys(role string) ([]*data.Key, error) {
-	if keys, ok := f.keys[role]; ok {
+func (f *fileSystemStore) GetSigningKeys(role string) ([]signed.Signer, error) {
+	if keys, ok := f.signers[role]; ok {
 		return keys, nil
 	}
 	keys, _, err := f.loadKeys(role)
@@ -308,10 +309,11 @@ func (f *fileSystemStore) GetKeys(role string) ([]*data.Key, error) {
 		}
 		return nil, err
 	}
-	return keys, nil
+	f.signers[role] = f.privateKeySigners(keys)
+	return f.signers[role], nil
 }
 
-func (f *fileSystemStore) SaveKey(role string, key *data.Key) error {
+func (f *fileSystemStore) SavePrivateKey(role string, key *signed.PrivateKey) error {
 	if err := f.createDirs(); err != nil {
 		return err
 	}
@@ -354,13 +356,21 @@ func (f *fileSystemStore) SaveKey(role string, key *data.Key) error {
 	if err := ioutil.WriteFile(f.keysPath(role), append(data, '\n'), 0600); err != nil {
 		return err
 	}
-	f.keys[role] = keys
+	f.signers[role] = f.privateKeySigners(keys)
 	return nil
 }
 
+func (f *fileSystemStore) privateKeySigners(keys []*signed.PrivateKey) []signed.Signer {
+	res := make([]signed.Signer, len(keys))
+	for i, k := range keys {
+		res[i] = k.Signer()
+	}
+	return res
+}
+
 // loadKeys loads keys for the given role and returns them along with the
 // passphrase (if read) so that callers don't need to re-read it.
-func (f *fileSystemStore) loadKeys(role string) ([]*data.Key, []byte, error) {
+func (f *fileSystemStore) loadKeys(role string) ([]*signed.PrivateKey, []byte, error) {
 	file, err := os.Open(f.keysPath(role))
 	if err != nil {
 		return nil, nil, err
@@ -372,7 +382,7 @@ func (f *fileSystemStore) loadKeys(role string) ([]*data.Key, []byte, error) {
 		return nil, nil, err
 	}
 
-	var keys []*data.Key
+	var keys []*signed.PrivateKey
 	if !pk.Encrypted {
 		if err := json.Unmarshal(pk.Data, &keys); err != nil {
 			return nil, nil, err
diff --git a/repo.go b/repo.go
index 147eda127..aad9b028b 100644
--- a/repo.go
+++ b/repo.go
@@ -47,8 +47,8 @@ type LocalStore interface {
 	WalkStagedTargets(paths []string, targetsFn targetsWalkFunc) error
 
 	Commit(map[string]json.RawMessage, bool, map[string]data.Hashes) error
-	GetKeys(string) ([]*data.Key, error)
-	SaveKey(string, *data.Key) error
+	GetSigningKeys(string) ([]signed.Signer, error)
+	SavePrivateKey(string, *signed.PrivateKey) error
 	Clean() error
 }
 
@@ -183,26 +183,27 @@ func (r *Repo) GenKeyWithExpires(keyRole string, expires time.Time) (string, err
 		return "", err
 	}
 
-	key, err := keys.NewKey()
+	key, err := signed.GenerateEd25519Key()
 	if err != nil {
 		return "", err
 	}
-	if err := r.local.SaveKey(keyRole, key.SerializePrivate()); err != nil {
+	if err := r.local.SavePrivateKey(keyRole, key); err != nil {
 		return "", err
 	}
+	pk := key.PublicData()
 
 	role, ok := root.Roles[keyRole]
 	if !ok {
 		role = &data.Role{KeyIDs: []string{}, Threshold: 1}
 		root.Roles[keyRole] = role
 	}
-	role.KeyIDs = append(role.KeyIDs, key.ID)
+	role.KeyIDs = append(role.KeyIDs, pk.ID())
 
-	root.Keys[key.ID] = key.Serialize()
+	root.Keys[pk.ID()] = pk
 	root.Expires = expires.Round(time.Second)
 	root.Version++
 
-	return key.ID, r.setMeta("root.json", root)
+	return pk.ID(), r.setMeta("root.json", root)
 }
 
 func validExpires(expires time.Time) bool {
@@ -277,7 +278,7 @@ func (r *Repo) RevokeKeyWithExpires(keyRole, id string, expires time.Time) error
 }
 
 func (r *Repo) setMeta(name string, meta interface{}) error {
-	keys, err := r.getKeys(strings.TrimSuffix(name, ".json"))
+	keys, err := r.getSigningKeys(strings.TrimSuffix(name, ".json"))
 	if err != nil {
 		return err
 	}
@@ -304,7 +305,7 @@ func (r *Repo) Sign(name string) error {
 		return err
 	}
 
-	keys, err := r.getKeys(role)
+	keys, err := r.getSigningKeys(role)
 	if err != nil {
 		return err
 	}
@@ -323,19 +324,19 @@ func (r *Repo) Sign(name string) error {
 	return r.local.SetMeta(name, b)
 }
 
-// getKeys returns signing keys from local storage.
+// getSigningKeys returns available signing keys.
 //
 // Only keys contained in the keys db are returned (i.e. local keys which have
 // been revoked are omitted), except for the root role in which case all local
 // keys are returned (revoked root keys still need to sign new root metadata so
 // clients can verify the new root.json and update their keys db accordingly).
-func (r *Repo) getKeys(name string) ([]*data.Key, error) {
-	localKeys, err := r.local.GetKeys(name)
+func (r *Repo) getSigningKeys(name string) ([]signed.Signer, error) {
+	signingKeys, err := r.local.GetSigningKeys(name)
 	if err != nil {
 		return nil, err
 	}
 	if name == "root" {
-		return localKeys, nil
+		return signingKeys, nil
 	}
 	db, err := r.db()
 	if err != nil {
@@ -348,8 +349,8 @@ func (r *Repo) getKeys(name string) ([]*data.Key, error) {
 	if len(role.KeyIDs) == 0 {
 		return nil, nil
 	}
-	keys := make([]*data.Key, 0, len(role.KeyIDs))
-	for _, key := range localKeys {
+	keys := make([]signed.Signer, 0, len(role.KeyIDs))
+	for _, key := range signingKeys {
 		if _, ok := role.KeyIDs[key.ID()]; ok {
 			keys = append(keys, key)
 		}
diff --git a/repo_test.go b/repo_test.go
index 9ddc4e93d..420b368d4 100644
--- a/repo_test.go
+++ b/repo_test.go
@@ -12,7 +12,6 @@ import (
 
 	"github.com/flynn/go-tuf/data"
 	"github.com/flynn/go-tuf/encrypted"
-	"github.com/flynn/go-tuf/keys"
 	"github.com/flynn/go-tuf/signed"
 	"github.com/flynn/go-tuf/util"
 	"golang.org/x/crypto/ed25519"
@@ -158,7 +157,6 @@ func (RepoSuite) TestGenKey(c *C) {
 	}
 	c.Assert(k.ID(), Equals, keyID)
 	c.Assert(k.Value.Public, HasLen, ed25519.PublicKeySize)
-	c.Assert(k.Value.Private, IsNil)
 
 	// check root key + role are in db
 	db, err := r.db()
@@ -170,7 +168,7 @@ func (RepoSuite) TestGenKey(c *C) {
 	c.Assert(role.KeyIDs, DeepEquals, map[string]struct{}{keyID: {}})
 
 	// check the key was saved correctly
-	localKeys, err := local.GetKeys("root")
+	localKeys, err := local.GetSigningKeys("root")
 	c.Assert(err, IsNil)
 	c.Assert(localKeys, HasLen, 1)
 	c.Assert(localKeys[0].ID(), Equals, keyID)
@@ -181,7 +179,6 @@ func (RepoSuite) TestGenKey(c *C) {
 	c.Assert(rootKeys, HasLen, 1)
 	c.Assert(rootKeys[0].ID(), Equals, rootKey.ID)
 	c.Assert(rootKeys[0].Value.Public, DeepEquals, rootKey.Serialize().Value.Public)
-	c.Assert(rootKeys[0].Value.Private, IsNil)
 
 	// generate two targets keys
 	genKey(c, r, "targets")
@@ -220,7 +217,7 @@ func (RepoSuite) TestGenKey(c *C) {
 	c.Assert(rootKeys[0].ID(), Equals, rootKey.ID)
 
 	// check the keys were saved correctly
-	localKeys, err = local.GetKeys("targets")
+	localKeys, err = local.GetSigningKeys("targets")
 	c.Assert(err, IsNil)
 	c.Assert(localKeys, HasLen, 2)
 	for _, key := range localKeys {
@@ -324,22 +321,22 @@ func (RepoSuite) TestSign(c *C) {
 	}
 
 	// signing with an available key generates a signature
-	key, err := keys.NewKey()
+	key, err := signed.GenerateEd25519Key()
 	c.Assert(err, IsNil)
-	c.Assert(local.SaveKey("root", key.SerializePrivate()), IsNil)
+	c.Assert(local.SavePrivateKey("root", key), IsNil)
 	c.Assert(r.Sign("root.json"), IsNil)
-	checkSigIDs(key.ID)
+	checkSigIDs(key.PublicData().ID())
 
 	// signing again does not generate a duplicate signature
 	c.Assert(r.Sign("root.json"), IsNil)
-	checkSigIDs(key.ID)
+	checkSigIDs(key.PublicData().ID())
 
 	// signing with a new available key generates another signature
-	newKey, err := keys.NewKey()
+	newKey, err := signed.GenerateEd25519Key()
 	c.Assert(err, IsNil)
-	c.Assert(local.SaveKey("root", newKey.SerializePrivate()), IsNil)
+	c.Assert(local.SavePrivateKey("root", newKey), IsNil)
 	c.Assert(r.Sign("root.json"), IsNil)
-	checkSigIDs(key.ID, newKey.ID)
+	checkSigIDs(key.PublicData().ID(), newKey.PublicData().ID())
 }
 
 func (RepoSuite) TestCommit(c *C) {
@@ -764,22 +761,13 @@ func (RepoSuite) TestKeyPersistence(c *C) {
 	passphrase := []byte("s3cr3t")
 	store := FileSystemStore(tmp.path, testPassphraseFunc(passphrase))
 
-	assertEqual := func(actual []*data.Key, expected []*keys.Key) {
-		c.Assert(actual, HasLen, len(expected))
-		for i, key := range expected {
-			c.Assert(actual[i].ID(), Equals, key.ID)
-			c.Assert(actual[i].Value.Public, DeepEquals, data.HexBytes(key.Public[:]))
-			c.Assert(actual[i].Value.Private, DeepEquals, data.HexBytes(key.Private[:]))
-		}
-	}
-
-	assertKeys := func(role string, enc bool, expected []*keys.Key) {
+	assertKeys := func(role string, enc bool, expected []*signed.PrivateKey) {
 		keysJSON := tmp.readFile("keys/" + role + ".json")
 		pk := &persistedKeys{}
 		c.Assert(json.Unmarshal(keysJSON, pk), IsNil)
 
 		// check the persisted keys are correct
-		var actual []*data.Key
+		var actual []*signed.PrivateKey
 		if enc {
 			c.Assert(pk.Encrypted, Equals, true)
 			decrypted, err := encrypted.Decrypt(pk.Data, passphrase)
@@ -789,37 +777,43 @@ func (RepoSuite) TestKeyPersistence(c *C) {
 			c.Assert(pk.Encrypted, Equals, false)
 			c.Assert(json.Unmarshal(pk.Data, &actual), IsNil)
 		}
-		assertEqual(actual, expected)
+		c.Assert(actual, HasLen, len(expected))
+		for i, key := range expected {
+			c.Assert(expected[i], DeepEquals, key)
+		}
 
 		// check GetKeys is correct
-		actual, err := store.GetKeys(role)
+		signers, err := store.GetSigningKeys(role)
 		c.Assert(err, IsNil)
-		assertEqual(actual, expected)
+		c.Assert(signers, HasLen, len(expected))
+		for i, s := range signers {
+			c.Assert(s.ID(), Equals, expected[i].PublicData().ID())
+		}
 	}
 
 	// save a key and check it gets encrypted
-	key, err := keys.NewKey()
+	key, err := signed.GenerateEd25519Key()
 	c.Assert(err, IsNil)
-	c.Assert(store.SaveKey("root", key.SerializePrivate()), IsNil)
-	assertKeys("root", true, []*keys.Key{key})
+	c.Assert(store.SavePrivateKey("root", key), IsNil)
+	assertKeys("root", true, []*signed.PrivateKey{key})
 
 	// save another key and check it gets added to the existing keys
-	newKey, err := keys.NewKey()
+	newKey, err := signed.GenerateEd25519Key()
 	c.Assert(err, IsNil)
-	c.Assert(store.SaveKey("root", newKey.SerializePrivate()), IsNil)
-	assertKeys("root", true, []*keys.Key{key, newKey})
+	c.Assert(store.SavePrivateKey("root", newKey), IsNil)
+	assertKeys("root", true, []*signed.PrivateKey{key, newKey})
 
 	// check saving a key to an encrypted file without a passphrase fails
 	insecureStore := FileSystemStore(tmp.path, nil)
-	key, err = keys.NewKey()
+	key, err = signed.GenerateEd25519Key()
 	c.Assert(err, IsNil)
-	c.Assert(insecureStore.SaveKey("root", key.SerializePrivate()), Equals, ErrPassphraseRequired{"root"})
+	c.Assert(insecureStore.SavePrivateKey("root", key), Equals, ErrPassphraseRequired{"root"})
 
 	// save a key to an insecure store and check it is not encrypted
-	key, err = keys.NewKey()
+	key, err = signed.GenerateEd25519Key()
 	c.Assert(err, IsNil)
-	c.Assert(insecureStore.SaveKey("targets", key.SerializePrivate()), IsNil)
-	assertKeys("targets", false, []*keys.Key{key})
+	c.Assert(insecureStore.SavePrivateKey("targets", key), IsNil)
+	assertKeys("targets", false, []*signed.PrivateKey{key})
 }
 
 func (RepoSuite) TestManageMultipleTargets(c *C) {
diff --git a/signed/keys.go b/signed/keys.go
new file mode 100644
index 000000000..7e4fd3a18
--- /dev/null
+++ b/signed/keys.go
@@ -0,0 +1,69 @@
+package signed
+
+import (
+	"crypto/rand"
+	"sync"
+
+	"github.com/flynn/go-tuf/data"
+	"golang.org/x/crypto/ed25519"
+)
+
+type PrivateKey struct {
+	Type  string          `json:"keytype"`
+	Value PrivateKeyValue `json:"keyval"`
+}
+
+type PrivateKeyValue struct {
+	Public  data.HexBytes `json:"public"`
+	Private data.HexBytes `json:"private"`
+}
+
+func (k *PrivateKey) PublicData() *data.Key {
+	return &data.Key{
+		Type:  k.Type,
+		Value: data.KeyValue{Public: k.Value.Public},
+	}
+}
+
+func (k *PrivateKey) Signer() Signer {
+	return &ed25519Signer{PrivateKey: ed25519.PrivateKey(k.Value.Private)}
+}
+
+func GenerateEd25519Key() (*PrivateKey, error) {
+	public, private, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return &PrivateKey{
+		Type: data.KeyTypeEd25519,
+		Value: PrivateKeyValue{
+			Public:  data.HexBytes(public),
+			Private: data.HexBytes(private),
+		},
+	}, nil
+}
+
+type ed25519Signer struct {
+	ed25519.PrivateKey
+
+	id     string
+	idOnce sync.Once
+}
+
+var _ Signer = &ed25519Signer{}
+
+func (s *ed25519Signer) ID() string {
+	s.idOnce.Do(func() { s.id = s.publicData().ID() })
+	return s.id
+}
+
+func (s *ed25519Signer) publicData() *data.Key {
+	return &data.Key{
+		Type:  data.KeyTypeEd25519,
+		Value: data.KeyValue{Public: []byte(s.PrivateKey.Public().(ed25519.PublicKey))},
+	}
+}
+
+func (s *ed25519Signer) Type() string {
+	return data.KeyTypeEd25519
+}
diff --git a/signed/sign.go b/signed/sign.go
index 1a89e40ab..41dd20b36 100644
--- a/signed/sign.go
+++ b/signed/sign.go
@@ -1,12 +1,27 @@
 package signed
 
 import (
-	"github.com/agl/ed25519"
+	"crypto"
+	"crypto/rand"
+
 	"github.com/flynn/go-tuf/data"
 	"github.com/tent/canonical-json-go"
 )
 
-func Sign(s *data.Signed, k *data.Key) {
+type Signer interface {
+	// ID returns the TUF key id
+	ID() string
+
+	// Type returns the TUF key type
+	Type() string
+
+	// Signer is used to sign messages and provides access to the public key.
+	// The signer is expected to do its own hashing, so the full message will be
+	// provided as the message to Sign with a zero opts.HashFunc().
+	crypto.Signer
+}
+
+func Sign(s *data.Signed, k Signer) error {
 	id := k.ID()
 	signatures := make([]data.Signature, 0, len(s.Signatures)+1)
 	for _, sig := range s.Signatures {
@@ -15,24 +30,32 @@ func Sign(s *data.Signed, k *data.Key) {
 		}
 		signatures = append(signatures, sig)
 	}
-	priv := [ed25519.PrivateKeySize]byte{}
-	copy(priv[:], k.Value.Private)
-	sig := ed25519.Sign(&priv, s.Signed)
+
+	sig, err := k.Sign(rand.Reader, s.Signed, crypto.Hash(0))
+	if err != nil {
+		return err
+	}
+
 	s.Signatures = append(signatures, data.Signature{
 		KeyID:     id,
-		Method:    "ed25519",
-		Signature: sig[:],
+		Method:    k.Type(),
+		Signature: sig,
 	})
+
+	return nil
 }
 
-func Marshal(v interface{}, keys ...*data.Key) (*data.Signed, error) {
+func Marshal(v interface{}, keys ...Signer) (*data.Signed, error) {
 	b, err := cjson.Marshal(v)
 	if err != nil {
 		return nil, err
 	}
 	s := &data.Signed{Signed: b}
 	for _, k := range keys {
-		Sign(s, k)
+		if err := Sign(s, k); err != nil {
+			return nil, err
+		}
+
 	}
 	return s, nil
 }
diff --git a/signed/verifiers.go b/signed/verifiers.go
index 54d9f3bc7..fc26669e0 100644
--- a/signed/verifiers.go
+++ b/signed/verifiers.go
@@ -1,6 +1,7 @@
 package signed
 
 import (
+	"github.com/flynn/go-tuf/data"
 	"golang.org/x/crypto/ed25519"
 )
 
@@ -13,9 +14,9 @@ type Verifier interface {
 	Verify(key, msg, sig []byte) error
 }
 
-// Verifiers is used to map algorithm names to Verifier instances.
+// Verifiers is used to map key types to Verifier instances.
 var Verifiers = map[string]Verifier{
-	"ed25519": Ed25519Verifier{},
+	data.KeyTypeEd25519: Ed25519Verifier{},
 }
 
 // RegisterVerifier provides a convenience function for init() functions
diff --git a/signed/verify_test.go b/signed/verify_test.go
index 47ec59ad8..58a00dd29 100644
--- a/signed/verify_test.go
+++ b/signed/verify_test.go
@@ -76,10 +76,10 @@ func (VerifySuite) Test(c *C) {
 		{
 			name: "more than enough signatures",
 			mut: func(t *test) {
-				k, _ := keys.NewKey()
-				Sign(t.s, k.SerializePrivate())
-				t.keys = append(t.keys, k.Serialize())
-				t.roles["root"].KeyIDs = append(t.roles["root"].KeyIDs, k.ID)
+				k, _ := GenerateEd25519Key()
+				Sign(t.s, k.Signer())
+				t.keys = append(t.keys, k.PublicData())
+				t.roles["root"].KeyIDs = append(t.roles["root"].KeyIDs, k.PublicData().ID())
 			},
 		},
 		{
@@ -93,15 +93,15 @@ func (VerifySuite) Test(c *C) {
 		{
 			name: "unknown key",
 			mut: func(t *test) {
-				k, _ := keys.NewKey()
-				Sign(t.s, k.Serialize())
+				k, _ := GenerateEd25519Key()
+				Sign(t.s, k.Signer())
 			},
 		},
 		{
 			name: "unknown key below threshold",
 			mut: func(t *test) {
-				k, _ := keys.NewKey()
-				Sign(t.s, k.Serialize())
+				k, _ := GenerateEd25519Key()
+				Sign(t.s, k.Signer())
 				t.roles["root"].Threshold = 2
 			},
 			err: ErrRoleThreshold,
@@ -109,17 +109,17 @@ func (VerifySuite) Test(c *C) {
 		{
 			name: "unknown keys in db",
 			mut: func(t *test) {
-				k, _ := keys.NewKey()
-				Sign(t.s, k.Serialize())
-				t.keys = append(t.keys, k.Serialize())
+				k, _ := GenerateEd25519Key()
+				Sign(t.s, k.Signer())
+				t.keys = append(t.keys, k.PublicData())
 			},
 		},
 		{
 			name: "unknown keys in db below threshold",
 			mut: func(t *test) {
-				k, _ := keys.NewKey()
-				Sign(t.s, k.Serialize())
-				t.keys = append(t.keys, k.Serialize())
+				k, _ := GenerateEd25519Key()
+				Sign(t.s, k.Signer())
+				t.keys = append(t.keys, k.PublicData())
 				t.roles["root"].Threshold = 2
 			},
 			err: ErrRoleThreshold,
@@ -155,9 +155,9 @@ func (VerifySuite) Test(c *C) {
 			t.typ = t.role
 		}
 		if t.keys == nil && t.s == nil {
-			k, _ := keys.NewKey()
-			t.s, _ = Marshal(&signedMeta{Type: t.typ, Version: t.ver, Expires: *t.exp}, k.SerializePrivate())
-			t.keys = []*data.Key{k.Serialize()}
+			k, _ := GenerateEd25519Key()
+			t.s, _ = Marshal(&signedMeta{Type: t.typ, Version: t.ver, Expires: *t.exp}, k.Signer())
+			t.keys = []*data.Key{k.PublicData()}
 		}
 		if t.roles == nil {
 			t.roles = map[string]*data.Role{