Documentation

Everything you need to deploy and operate Lockwave.

Quick Start

Get running in three steps:

  1. Create your account and set up your first team
  2. Generate an SSH key or import your existing public key
  3. Enroll your first host using the install command below
curl -fsSL https://lockwave.io/install.sh | sudo bash -s -- \
  --token YOUR_ENROLLMENT_TOKEN \
  --api-url https://lockwave.io \
  --os-user deploy

The enrollment token is generated in the dashboard when you enroll a new host. It expires after 15 minutes.

Architecture

Lockwave consists of two components:

  • Control Plane - A Laravel application that stores teams, SSH public keys, hosts, and assignments. It computes the desired state for each host and serves it via a REST API.
  • Daemon (lockwaved) - A statically compiled Go binary that runs on each managed host. It polls the control plane over outbound HTTPS, computes the delta between current and desired state, and atomically rewrites the authorized_keys file.

The daemon never opens inbound ports. All communication flows from the daemon to the control plane, never the reverse. This means you don't need to modify firewall rules or open SSH tunnels.

Daemon Installation

The install script downloads the correct binary for your architecture, creates a systemd service, and registers the host with the control plane.

Supported Platforms

  • Linux (amd64, arm64)
  • macOS / Darwin (amd64, arm64)
  • FreeBSD (amd64)

Verifying Installation

systemctl status lockwaved
journalctl -u lockwaved -f

The host should appear in your dashboard with a "healthy" status within 60 seconds.

Key Management

Lockwave supports two key types:

  • ed25519 - Default and recommended. Smaller, faster, and more secure than RSA.
  • RSA 4096 - For legacy compatibility with older SSH clients or servers.

Keys can be generated server-side (the private key is shown once and never stored) or imported by pasting your existing public key.

Keys are scoped to teams. Visibility options:

  • Personal - Only visible to the key owner
  • Shared - Visible to team admins and owners

Assignments

Assignments map SSH keys to hosts and OS users. They define the desired state of each authorized_keys file.

Create an assignment to grant access. Delete it to revoke. Changes propagate to all affected hosts on the next daemon sync cycle.

Sync intervals depend on your plan: Free (5 min), Standard (2 min), Business (1 min), Enterprise (30 sec).

API Overview

Lockwave provides a REST API secured with Sanctum tokens. All endpoints require authentication and team context.

Authentication

curl -H "Authorization: Bearer YOUR_API_TOKEN" \
     -H "Accept: application/json" \
     https://lockwave.io/api/v1/hosts

Generate API tokens from your profile settings in the dashboard.

Security Model

Lockwave's security model is built on four principles:

  • Outbound-only - The daemon only makes outbound HTTPS requests. No inbound ports, no SSH tunnels.
  • No private keys - We only store public keys. Private keys are generated and delivered once, then discarded.
  • Atomic writes - POSIX file locking and rename prevent corrupted authorized_keys files.
  • Immutable audit - Every action is logged in an append-only log. Break-glass, drift events, and credential rotations are all recorded.

Report security issues to security@lockwave.io.

Deploy in Under 5 Minutes

Start free. Run the install script on your first host and see keys sync.

Start Free Trial Get Support