diff --git a/tough/src/error.rs b/tough/src/error.rs
index 85e207b1..fb9907a4 100644
--- a/tough/src/error.rs
+++ b/tough/src/error.rs
@@ -57,6 +57,20 @@ pub enum Error {
         backtrace: Backtrace,
     },
 
+    #[snafu(display("Failed to read {}: {}", path.display(), source))]
+    FileRead {
+        path: PathBuf,
+        source: std::io::Error,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Failed to write to {}: {}", path.display(), source))]
+    FileWrite {
+        path: PathBuf,
+        source: std::io::Error,
+        backtrace: Backtrace,
+    },
+
     /// A downloaded target's checksum does not match the checksum listed in the repository
     /// metadata.
     #[snafu(display(
diff --git a/tough/src/key_source.rs b/tough/src/key_source.rs
new file mode 100644
index 00000000..df47cfa1
--- /dev/null
+++ b/tough/src/key_source.rs
@@ -0,0 +1,45 @@
+// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: MIT OR Apache-2.0
+
+use crate::error;
+use crate::sign::{parse_keypair, Sign};
+use snafu::ResultExt;
+use std::fmt::Debug;
+use std::path::PathBuf;
+use std::result::Result;
+
+/// This trait should be implemented for each source of signing keys. Examples
+/// of sources include: files, AWS SSM, etc.
+pub trait KeySource: Debug + Send + Sync {
+    /// Returns an object that implements the `Sign` trait
+    fn as_sign(&self) -> Result<Box<dyn Sign>, Box<dyn std::error::Error + Send + Sync + 'static>>;
+
+    /// Writes a key back to the `KeySource`
+    fn write(
+        &self,
+        value: &str,
+        key_id_hex: &str,
+    ) -> Result<(), Box<dyn std::error::Error + Send + Sync + 'static>>;
+}
+
+#[derive(Debug)]
+pub struct LocalKeySource {
+    pub path: PathBuf,
+}
+
+/// Implements the `KeySource` trait for a `LocalKeySource` (file)
+impl KeySource for LocalKeySource {
+    fn as_sign(&self) -> Result<Box<dyn Sign>, Box<dyn std::error::Error + Send + Sync + 'static>> {
+        let data = std::fs::read(&self.path).context(error::FileRead { path: &self.path })?;
+        Ok(Box::new(parse_keypair(&data)?))
+    }
+
+    fn write(
+        &self,
+        value: &str,
+        _key_id_hex: &str,
+    ) -> Result<(), Box<dyn std::error::Error + Send + Sync + 'static>> {
+        Ok(std::fs::write(&self.path, value.as_bytes())
+            .context(error::FileWrite { path: &self.path })?)
+    }
+}
diff --git a/tough/src/lib.rs b/tough/src/lib.rs
index 1f01e995..9c35a1ed 100644
--- a/tough/src/lib.rs
+++ b/tough/src/lib.rs
@@ -24,6 +24,7 @@ mod datastore;
 pub mod error;
 mod fetch;
 mod io;
+pub mod key_source;
 pub mod schema;
 pub mod sign;
 mod transport;