Skip to content

Security Model

This page provides a high-level overview of the security model for VeliKey Aegis.

Goals

  • Prevent cross-tenant access (data and control).
  • Ensure agent-to-control-plane communication is authenticated and authorized.
  • Support strict TLS validation in production (no fail-open defaults).
  • Avoid accidental disclosure of sensitive values in logs and UI.

Trust Boundaries

  • Customer environment: where Aegis Agents run and where application traffic originates.
  • Control plane (Axis): policy management and telemetry aggregation.

Authentication

Users (Axis UI/API)

Axis supports user authentication (including SSO/OIDC where configured) and role-based access control.

Agents

Agents use a two-stage credential flow:

  1. Bootstrap token (single-use, short-lived): used only for initial enrollment.
  2. Per-agent credential: issued after enrollment and scoped to the tenant and the agent.

If a bootstrap token is exposed or reused, treat it as compromised and rotate it.

Authorization

  • Control plane APIs enforce tenant-scoped authorization.
  • Agent-specific endpoints must verify both:
  • token validity
  • tenant + agent binding (prevent cross-tenant token reuse)

Transport Security

  • Agent-to-control-plane communication uses TLS.
  • Production deployments should validate:
  • certificate chain
  • hostname/SAN

If you use a private PKI, configure agents with the correct CA bundle rather than disabling validation.

Secrets Handling

Treat the following as secrets:

  • bootstrap tokens
  • per-agent credentials
  • API keys
  • webhook signing secrets

Recommendations:

  • Use a secret manager or Kubernetes Secret.
  • Avoid placing secrets directly in long-lived files or source control.
  • Rotate on suspected exposure.

Logging and Audit

  • Do not log tokens, keys, or Authorization headers.
  • Audit sensitive actions (policy changes, key creation/revocation, enrollment actions).

Incident Response (Minimal Playbook)

  1. Revoke the affected agent credential (or remove the agent).
  2. Generate a new bootstrap token and re-enroll the agent.
  3. Rotate any related API keys or webhook secrets.
  4. Review audit logs for unexpected access.

See Also