Security Model
This page provides a high-level overview of the security model for VeliKey Aegis.
Goals
- Prevent cross-tenant access (data and control).
- Ensure agent-to-control-plane communication is authenticated and authorized.
- Support strict TLS validation in production (no fail-open defaults).
- Avoid accidental disclosure of sensitive values in logs and UI.
Trust Boundaries
- Customer environment: where Aegis Agents run and where application traffic originates.
- Control plane (Axis): policy management and telemetry aggregation.
Authentication
Users (Axis UI/API)
Axis supports user authentication (including SSO/OIDC where configured) and role-based access control.
Agents
Agents use a two-stage credential flow:
- Bootstrap token (single-use, short-lived): used only for initial enrollment.
- Per-agent credential: issued after enrollment and scoped to the tenant and the agent.
If a bootstrap token is exposed or reused, treat it as compromised and rotate it.
Authorization
- Control plane APIs enforce tenant-scoped authorization.
- Agent-specific endpoints must verify both:
- token validity
- tenant + agent binding (prevent cross-tenant token reuse)
Transport Security
- Agent-to-control-plane communication uses TLS.
- Production deployments should validate:
- certificate chain
- hostname/SAN
If you use a private PKI, configure agents with the correct CA bundle rather than disabling validation.
Secrets Handling
Treat the following as secrets:
- bootstrap tokens
- per-agent credentials
- API keys
- webhook signing secrets
Recommendations:
- Use a secret manager or Kubernetes Secret.
- Avoid placing secrets directly in long-lived files or source control.
- Rotate on suspected exposure.
Logging and Audit
- Do not log tokens, keys, or Authorization headers.
- Audit sensitive actions (policy changes, key creation/revocation, enrollment actions).
Incident Response (Minimal Playbook)
- Revoke the affected agent credential (or remove the agent).
- Generate a new bootstrap token and re-enroll the agent.
- Rotate any related API keys or webhook secrets.
- Review audit logs for unexpected access.