diff --git a/crypto/lux_key.go b/crypto/lux_key.go
index c155f0b..9b25c6c 100644
--- a/crypto/lux_key.go
+++ b/crypto/lux_key.go
@@ -3,6 +3,7 @@ package crypto
 import (
 	"crypto/rand"
 	"lux/proto"
+	"os"
 )
 
 type LuxKey struct {
@@ -14,15 +15,17 @@ type LuxKey struct {
 const LUX_KEY_AES_SIZE = 32
 const LUX_PROTO_KEY_SIZE = proto.LUX_PROTO_TYPE_SIZE + proto.LUX_PROTO_ID_SIZE + LUX_KEY_AES_SIZE
 
-func (key *LuxKey) NewLuxKey(keyType proto.LuxType) error {
-	key.Type = keyType
-	key.Id = proto.NewLuxID()
-	key.Key = make([]byte, 32)
+func NewLuxKey(keyType proto.LuxType) (LuxKey, error) {
+	key := LuxKey{
+		Type: keyType,
+		Id:   proto.NewLuxID(),
+		Key:  make([]byte, LUX_KEY_AES_SIZE),
+	}
 
 	if _, err := rand.Read(key.Key); err != nil {
-		return err
+		return key, err
 	} else {
-		return nil
+		return key, nil
 	}
 }
 
@@ -48,3 +51,65 @@ func (key *LuxKey) Write(wd *proto.LuxBuffer) {
 	key.Id.Write(wd)
 	wd.WriteBytes(key.Key)
 }
+
+const LUX_KEYSTORE_FILEMODE = os.FileMode(int(0600))
+
+type LuxKeyStore struct {
+	filePath string
+	keys     map[proto.LuxID]LuxKey
+}
+
+func NewLuxKeyStore(filePath string) LuxKeyStore {
+	return LuxKeyStore{
+		filePath: filePath,
+		keys:     make(map[proto.LuxID]LuxKey),
+	}
+}
+
+func (ks *LuxKeyStore) Load() error {
+	bytes, err := os.ReadFile(ks.filePath)
+	if err != nil {
+		return err
+	}
+
+	rd := proto.FromSlice(bytes)
+	keyNum := rd.Remaining() / LUX_PROTO_KEY_SIZE
+	for i := 0; i < keyNum; i++ {
+		var key LuxKey
+		if err := key.Read(rd); err != nil {
+			return err
+		}
+
+		// add new key
+		ks.keys[key.Id] = key
+	}
+
+	return nil
+}
+
+func (ks *LuxKeyStore) Save() error {
+	wd := proto.AllocLuxBuffer(len(ks.keys))
+	for _, key := range ks.keys {
+		key.Write(wd)
+	}
+
+	return os.WriteFile(ks.filePath, wd.AllBytes(), LUX_KEYSTORE_FILEMODE)
+}
+
+func (ks *LuxKeyStore) Get(id proto.LuxID) *LuxKey {
+	if key, ok := ks.keys[id]; ok {
+		return &key
+	} else {
+		return nil
+	}
+}
+
+func (ks *LuxKeyStore) Put(key LuxKey) (*LuxKey, error) {
+	ks.keys[key.Id] = key
+	if err := ks.Save(); err != nil {
+		return nil, err
+	}
+
+	_key := ks.keys[key.Id]
+	return &_key, nil
+}
diff --git a/host/lux_host.go b/host/lux_host.go
index c9ff5bc..00e539d 100644
--- a/host/lux_host.go
+++ b/host/lux_host.go
@@ -2,6 +2,9 @@ package host
 
 import (
 	"fmt"
+	"log"
+	"lux/crypto"
+	"lux/proto"
 
 	"gopkg.in/ini.v1"
 )
@@ -11,6 +14,10 @@ type luxConfig struct {
 		Name  string `ini:"name"`
 		Nodes string `ini:"nodes"`
 	} `ini:"host"`
+
+	KeyStore struct {
+		Path string `ini:"path"`
+	} `ini:"keystore"`
 }
 
 var config luxConfig
@@ -23,7 +30,20 @@ func LuxHostEntry(configPath string) error {
 	if err = ini.MapTo(&config); err != nil {
 		return err
 	}
-
 	fmt.Println(config)
+
+	ks := crypto.NewLuxKeyStore(config.KeyStore.Path)
+	key, err := crypto.NewLuxKey(proto.LuxTypeHost)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := ks.Load(); err != nil {
+		log.Fatal(err)
+	}
+	if _, err := ks.Put(key); err != nil {
+		log.Fatal(err)
+	}
+
 	return nil
 }