System Status: Operational v1.0.0-stable

INFRASTRUCTURE ACCESS,
CRYPTOGRAPHICALLY ENFORCED.

Stop manually editing authorized_keys. Lockwave is a centralized control plane that uses an outbound-only Go daemon to enforce desired SSH key states across your Linux fleet in milliseconds. Zero inbound ports. Full auditability. GDPR compliant.

Initialize Control Plane Read the Docs

The End of SSH Key Sprawl

Managing SSH access at scale is fundamentally broken. When an engineer leaves, finding and removing their public key from hundreds of servers is a manual, error-prone nightmare.

Lockwave replaces this chaos with Deterministic State Enforcement. You define who should have access to what in the central Laravel-powered Control Plane.

Our lightweight, compiled Go daemon runs on your hosts. It wakes up, polls the Control Plane via outbound HTTPS, computes the delta, and atomically rewrites the authorized_keys file. If a key is not in the Control Plane, it is purged. Instantly.

  • No inbound firewall rules required (Outbound 443 only)
  • Atomic file writes prevent partial key corruption
  • Immutable audit logs for SOC2 / ISO27001 compliance
lockwave-daemon.log
time="2024-02-26T10:14:02Z" level=info msg="Starting Lockwave Daemon v1.0.0"
time="2024-02-26T10:14:02Z" level=info msg="Loaded configuration from /etc/lockwave/config.yml"
time="2024-02-26T10:14:03Z" level=info msg="Authenticating with Control Plane..."
time="2024-02-26T10:14:03Z" level=info msg="Authentication successful. Host ID: hst_9f8a7b6c"
time="2024-02-26T10:14:05Z" level=info msg="Polling for desired state..."
time="2024-02-26T10:14:05Z" level=info msg="Received state: 3 active keys, 1 revoked key"
time="2024-02-26T10:14:05Z" level=info msg="Computing delta for user 'deploy'..."
time="2024-02-26T10:14:05Z" level=warning msg="Drift detected: Found unauthorized key 'SHA256:xYzA...'"
time="2024-02-26T10:14:05Z" level=info msg="Acquiring exclusive file lock on ~/.ssh/authorized_keys"
time="2024-02-26T10:14:05Z" level=info msg="Writing new state to temporary file"
time="2024-02-26T10:14:05Z" level=info msg="Atomic rename successful. State enforced."
time="2024-02-26T10:14:05Z" level=info msg="Sleeping for 60 seconds..."

Architected for Zero Trust

Every component of Lockwave is designed with security as the primary constraint. We do not store your private keys. We do not require inbound access to your network.

Instant Revocation

When an employee is offboarded, their access is revoked globally across all enrolled hosts within the next polling cycle (default 60s). The daemon atomically removes their public key from all managed authorized_keys blocks.

Outbound-Only Daemon

The Lockwave agent is a statically compiled Go binary. It operates strictly via outbound HTTPS (port 443) requests to the Control Plane. It requires zero open inbound ports.

Break-Glass Controls

In the event of a suspected breach, administrators can trigger a Global Freeze. This immediately instructs all daemons to purge all managed keys, locking down the infrastructure until the incident is resolved.

Drift Detection

If a user manually edits the authorized_keys file to add a backdoor key, the daemon detects the drift on the next poll, removes the unauthorized key, and logs a critical security event in the audit trail.

Atomic Enforcement

File writes are performed using strict POSIX file locking and atomic rename operations. This ensures that the authorized_keys file is never left in a corrupted or partially-written state.

Compliance Ready

Generate PDF and CSV reports detailing exactly who had access to which host at any given time. Combined with the immutable audit log, Lockwave provides the exact evidence required for SOC2 and ISO27001 audits.

Ready to enforce your key policy?

Start free. No credit card required. Deploy the daemon on your first host in under 5 minutes.

Initialize Control Plane See pricing