diff --git a/src/lib/server/db/mek.ts b/src/lib/server/db/mek.ts
index 237ef59..944636e 100644
--- a/src/lib/server/db/mek.ts
+++ b/src/lib/server/db/mek.ts
@@ -2,7 +2,7 @@ import { SqliteError } from "better-sqlite3";
 import { and, or, eq } from "drizzle-orm";
 import db from "./drizzle";
 import { IntegrityError } from "./error";
-import { mek, clientMek } from "./schema";
+import { mek, mekLog, clientMek } from "./schema";
 
 export const registerInitialMek = async (
   userId: number,
@@ -16,8 +16,6 @@ export const registerInitialMek = async (
         await tx.insert(mek).values({
           userId,
           version: 1,
-          createdBy,
-          createdAt: new Date(),
           state: "active",
         });
         await tx.insert(clientMek).values({
@@ -27,6 +25,13 @@ export const registerInitialMek = async (
           encMek,
           encMekSig,
         });
+        await tx.insert(mekLog).values({
+          userId,
+          mekVersion: 1,
+          timestamp: new Date(),
+          action: "create",
+          actionBy: createdBy,
+        });
       } catch (e) {
         if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_PRIMARYKEY") {
           throw new IntegrityError("MEK already registered");
diff --git a/src/lib/server/db/schema/mek.ts b/src/lib/server/db/schema/mek.ts
index 8ab6fb8..e496d9e 100644
--- a/src/lib/server/db/schema/mek.ts
+++ b/src/lib/server/db/schema/mek.ts
@@ -9,10 +9,6 @@ export const mek = sqliteTable(
       .notNull()
       .references(() => user.id),
     version: integer("version").notNull(),
-    createdBy: integer("created_by")
-      .notNull()
-      .references(() => client.id),
-    createdAt: integer("created_at", { mode: "timestamp_ms" }).notNull(),
     state: text("state", { enum: ["active", "retired", "dead"] }).notNull(),
     retiredAt: integer("retired_at", { mode: "timestamp_ms" }),
   },
@@ -21,6 +17,26 @@ export const mek = sqliteTable(
   }),
 );
 
+export const mekLog = sqliteTable(
+  "master_encryption_key_log",
+  {
+    id: integer("id").primaryKey({ autoIncrement: true }),
+    userId: integer("user_id")
+      .notNull()
+      .references(() => user.id),
+    mekVersion: integer("master_encryption_key_version").notNull(),
+    timestamp: integer("timestamp", { mode: "timestamp_ms" }).notNull(),
+    action: text("action", { enum: ["create"] }).notNull(),
+    actionBy: integer("action_by").references(() => client.id),
+  },
+  (t) => ({
+    ref: foreignKey({
+      columns: [t.userId, t.mekVersion],
+      foreignColumns: [mek.userId, mek.version],
+    }),
+  }),
+);
+
 export const clientMek = sqliteTable(
   "client_master_encryption_key",
   {