diff --git a/tests/Fixture/EncryptionKeysFixture.php b/tests/Fixture/EncryptionKeysFixture.php
index 05b92f8..a9d6c27 100644
--- a/tests/Fixture/EncryptionKeysFixture.php
+++ b/tests/Fixture/EncryptionKeysFixture.php
@@ -45,7 +45,7 @@ class EncryptionKeysFixture extends TestFixture
                 'encryption_key' => $this->getPublicKey(self::KEY_TYPE_EDCH),
                 'revoked' => false,
                 'expires' => null,
-                'owner_id' => OrganisationsFixture::ORGANISATION_A_ID,
+                'owner_id' => OrganisationsFixture::ORGANISATION_B_ID,
                 'owner_model' => 'Organisation',
                 'created' => $faker->dateTime()->getTimestamp(),
                 'modified' => $faker->dateTime()->getTimestamp()
@@ -54,7 +54,7 @@ class EncryptionKeysFixture extends TestFixture
         parent::init();
     }
 
-    public function getPublicKey(string $type): string
+    public static function getPublicKey(string $type): string
     {
         switch ($type) {
             case self::KEY_TYPE_EDCH:
@@ -90,7 +90,7 @@ class EncryptionKeysFixture extends TestFixture
         }
     }
 
-    private function getPrivateKey(string $type): string
+    private static function getPrivateKey(string $type): string
     {
         switch ($type) {
             case self::KEY_TYPE_EDCH:
diff --git a/tests/TestCase/Api/EncryptionKeys/AddEncryptionKeyApiTest.php b/tests/TestCase/Api/EncryptionKeys/AddEncryptionKeyApiTest.php
new file mode 100644
index 0000000..b876800
--- /dev/null
+++ b/tests/TestCase/Api/EncryptionKeys/AddEncryptionKeyApiTest.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Test\TestCase\Api\Users;
+
+use Cake\TestSuite\IntegrationTestTrait;
+use Cake\TestSuite\TestCase;
+use App\Test\Fixture\AuthKeysFixture;
+use App\Test\Fixture\EncryptionKeysFixture;
+use App\Test\Fixture\UsersFixture;
+use App\Test\Helper\ApiTestTrait;
+
+class AddEncryptionKeyApiTest extends TestCase
+{
+    use IntegrationTestTrait;
+    use ApiTestTrait;
+
+    protected const ENDPOINT = '/api/v1/encryptionKeys/add';
+
+    protected $fixtures = [
+        'app.Organisations',
+        'app.Individuals',
+        'app.Roles',
+        'app.Users',
+        'app.AuthKeys',
+        'app.EncryptionKeys'
+    ];
+
+    public function testAddUserEncryptionKey(): void
+    {
+        $this->setAuthToken(AuthKeysFixture::ADMIN_API_KEY);
+
+        $faker = \Faker\Factory::create();
+        $uuid = $faker->uuid;
+
+        $this->post(
+            self::ENDPOINT,
+            [
+                'uuid' => $uuid,
+                'type' => EncryptionKeysFixture::TYPE_PGP,
+                'encryption_key' => EncryptionKeysFixture::getPublicKey(EncryptionKeysFixture::KEY_TYPE_EDCH),
+                'revoked' => false,
+                'expires' => null,
+                'owner_id' => UsersFixture::USER_ADMIN_ID,
+                'owner_model' => 'User'
+            ]
+        );
+
+        $this->assertResponseOk();
+        $this->assertResponseContains(sprintf('"uuid": "%s"', $uuid));
+        $this->assertDbRecordExists('EncryptionKeys', ['uuid' => $uuid]);
+        //TODO: $this->assertRequestMatchesOpenApiSpec();
+        $this->assertResponseMatchesOpenApiSpec(self::ENDPOINT, 'post');
+    }
+
+    public function testAddAdminUserEncryptionKeyNotAllowedAsRegularUser(): void
+    {
+        $this->setAuthToken(AuthKeysFixture::REGULAR_USER_API_KEY);
+
+        $faker = \Faker\Factory::create();
+        $uuid = $faker->uuid;
+
+        $this->post(
+            self::ENDPOINT,
+            [
+                'uuid' => $uuid,
+                'type' => EncryptionKeysFixture::TYPE_PGP,
+                'encryption_key' => EncryptionKeysFixture::getPublicKey(EncryptionKeysFixture::KEY_TYPE_EDCH),
+                'revoked' => false,
+                'expires' => null,
+                'owner_id' => UsersFixture::USER_ADMIN_ID,
+                'owner_model' => 'User'
+            ]
+        );
+
+        $this->assertResponseCode(405);
+        $this->assertDbRecordNotExists('EncryptionKeys', ['uuid' => $uuid]);
+        //TODO: $this->assertRequestMatchesOpenApiSpec();
+        $this->assertResponseMatchesOpenApiSpec(self::ENDPOINT, 'post');
+    }
+}
diff --git a/tests/TestCase/Api/EncryptionKeys/EditEncryptionKeyApiTest.php b/tests/TestCase/Api/EncryptionKeys/EditEncryptionKeyApiTest.php
new file mode 100644
index 0000000..6525786
--- /dev/null
+++ b/tests/TestCase/Api/EncryptionKeys/EditEncryptionKeyApiTest.php
@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Test\TestCase\Api\Users;
+
+use Cake\TestSuite\IntegrationTestTrait;
+use Cake\TestSuite\TestCase;
+use App\Test\Fixture\AuthKeysFixture;
+use App\Test\Fixture\EncryptionKeysFixture;
+use App\Test\Helper\ApiTestTrait;
+
+class EditBroodApiTest extends TestCase
+{
+    use IntegrationTestTrait;
+    use ApiTestTrait;
+
+    protected const ENDPOINT = '/api/v1/encryptionKeys/edit';
+
+    protected $fixtures = [
+        'app.Organisations',
+        'app.Individuals',
+        'app.Roles',
+        'app.Users',
+        'app.AuthKeys',
+        'app.EncryptionKeys'
+    ];
+
+    public function testRevokeEncryptionKey(): void
+    {
+        $this->setAuthToken(AuthKeysFixture::ADMIN_API_KEY);
+
+        $url = sprintf('%s/%d', self::ENDPOINT, EncryptionKeysFixture::ENCRYPTION_KEY_ORG_A_ID);
+        $this->put(
+            $url,
+            [
+                'revoked' => true,
+            ]
+        );
+
+        $this->assertResponseOk();
+        $this->assertDbRecordExists(
+            'EncryptionKeys',
+            [
+                'id' => EncryptionKeysFixture::ENCRYPTION_KEY_ORG_A_ID,
+                'revoked' => true,
+            ]
+        );
+        //TODO: $this->assertRequestMatchesOpenApiSpec();
+        $this->assertResponseMatchesOpenApiSpec($url, 'put');
+    }
+
+    public function testRevokeAdminEncryptionKeyNotAllowedAsRegularUser(): void
+    {
+        $this->setAuthToken(AuthKeysFixture::REGULAR_USER_API_KEY);
+
+        $url = sprintf('%s/%d', self::ENDPOINT, EncryptionKeysFixture::ENCRYPTION_KEY_ORG_B_ID);
+        $this->put(
+            $url,
+            [
+                'revoked' => true
+            ]
+        );
+
+        $this->assertResponseCode(405);
+        $this->assertDbRecordNotExists(
+            'EncryptionKeys',
+            [
+                'id' => EncryptionKeysFixture::ENCRYPTION_KEY_ORG_B_ID,
+                'revoked' => true
+            ]
+        );
+        //TODO: $this->assertRequestMatchesOpenApiSpec();
+        $this->assertResponseMatchesOpenApiSpec($url, 'put');
+    }
+}
diff --git a/tests/TestCase/Api/EncryptionKeys/ViewEncryptionKeyApiTest.php b/tests/TestCase/Api/EncryptionKeys/ViewEncryptionKeyApiTest.php
new file mode 100644
index 0000000..8e46119
--- /dev/null
+++ b/tests/TestCase/Api/EncryptionKeys/ViewEncryptionKeyApiTest.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Test\TestCase\Api\Users;
+
+use Cake\TestSuite\IntegrationTestTrait;
+use Cake\TestSuite\TestCase;
+use App\Test\Fixture\AuthKeysFixture;
+use App\Test\Fixture\EncryptionKeysFixture;
+use App\Test\Helper\ApiTestTrait;
+
+class ViewEncryptionKeyApiTest extends TestCase
+{
+    use IntegrationTestTrait;
+    use ApiTestTrait;
+
+    protected const ENDPOINT = '/api/v1/encryptionKeys/view';
+
+    protected $fixtures = [
+        'app.Organisations',
+        'app.Individuals',
+        'app.Roles',
+        'app.Users',
+        'app.AuthKeys',
+        'app.EncryptionKeys'
+    ];
+
+    public function testViewEncryptionKeyById(): void
+    {
+        $this->setAuthToken(AuthKeysFixture::ADMIN_API_KEY);
+        $url = sprintf('%s/%d', self::ENDPOINT, EncryptionKeysFixture::ENCRYPTION_KEY_ORG_A_ID);
+        $this->get($url);
+
+        $this->assertResponseOk();
+        $this->assertResponseContains(sprintf('"id": %d', EncryptionKeysFixture::ENCRYPTION_KEY_ORG_A_ID));
+        // TODO: $this->assertRequestMatchesOpenApiSpec();
+        $this->assertResponseMatchesOpenApiSpec($url);
+    }
+}
diff --git a/webroot/docs/openapi.yaml b/webroot/docs/openapi.yaml
index c4852eb..d293ed5 100644
--- a/webroot/docs/openapi.yaml
+++ b/webroot/docs/openapi.yaml
@@ -652,6 +652,62 @@ paths:
         default:
           $ref: "#/components/responses/ApiErrorResponse"
 
+  /api/v1/encryptionKeys/view/{encryptionKeyId}:
+    get:
+      summary: "Get encryption key by ID"
+      operationId: getEncryptionKeyId
+      tags:
+        - EncryptionKeys
+      parameters:
+        - $ref: "#/components/parameters/encryptionKeyId"
+      responses:
+        "200":
+          $ref: "#/components/responses/EncryptionKeyResponse"
+        "403":
+          $ref: "#/components/responses/UnauthorizedApiErrorResponse"
+        "405":
+          $ref: "#/components/responses/MethodNotAllowedApiErrorResponse"
+        default:
+          $ref: "#/components/responses/ApiErrorResponse"
+
+  /api/v1/encryptionKeys/add:
+    post:
+      summary: "Add encryption key"
+      operationId: addEncryptionKey
+      tags:
+        - EncryptionKeys
+      requestBody:
+        $ref: "#/components/requestBodies/CreateEncryptionKeyRequest"
+      responses:
+        "200":
+          $ref: "#/components/responses/EncryptionKeyResponse"
+        "403":
+          $ref: "#/components/responses/UnauthorizedApiErrorResponse"
+        "405":
+          $ref: "#/components/responses/MethodNotAllowedApiErrorResponse"
+        default:
+          $ref: "#/components/responses/ApiErrorResponse"
+
+  /api/v1/encryptionKeys/edit/{encryptionKeyId}:
+    put:
+      summary: "Edit encryption key"
+      operationId: editEncryptionKey
+      tags:
+        - EncryptionKeys
+      parameters:
+        - $ref: "#/components/parameters/encryptionKeyId"
+      requestBody:
+        $ref: "#/components/requestBodies/EditEncryptionKeyRequest"
+      responses:
+        "200":
+          $ref: "#/components/responses/EncryptionKeyResponse"
+        "403":
+          $ref: "#/components/responses/UnauthorizedApiErrorResponse"
+        "405":
+          $ref: "#/components/responses/MethodNotAllowedApiErrorResponse"
+        default:
+          $ref: "#/components/responses/ApiErrorResponse"
+
   /api/v1/encryptionKeys/delete/{encryptionKeyId}:
     delete:
       summary: "Delete encryption key by ID"
@@ -1601,6 +1657,50 @@ components:
               authkey:
                 $ref: "#/components/schemas/AuthKey"
 
+    CreateEncryptionKeyRequest:
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              uuid:
+                $ref: "#/components/schemas/UUID"
+              type:
+                $ref: "#/components/schemas/EncryptionKeyType"
+              encryption_key:
+                $ref: "#/components/schemas/EncryptionKeyValue"
+              revoked:
+                type: boolean
+              expires:
+                $ref: "#/components/schemas/EncryptionKeyExpiration"
+              owner_id:
+                $ref: "#/components/schemas/ID"
+              owner_model:
+                $ref: "#/components/schemas/ModelName"
+
+    EditEncryptionKeyRequest:
+      required: true
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              uuid:
+                $ref: "#/components/schemas/UUID"
+              type:
+                $ref: "#/components/schemas/EncryptionKeyType"
+              encryption_key:
+                $ref: "#/components/schemas/EncryptionKeyValue"
+              revoked:
+                type: boolean
+              expires:
+                $ref: "#/components/schemas/EncryptionKeyExpiration"
+              owner_id:
+                $ref: "#/components/schemas/ID"
+              owner_model:
+                $ref: "#/components/schemas/ModelName"
+
   responses:
     # Individuals
     IndividualResponse: