Every Tool You Need to Control SSH Access at Scale

From key generation to compliance reports - a single control plane for your entire fleet.

System Architecture

Control Plane

Laravel API

HTTPS 443

Go Daemon

lockwaved

Atomic write

authorized_keys

~/.ssh/

Key Generation

Generate ed25519 (default) or RSA 4096 key pairs server-side. The private key is displayed exactly once after generation and is never stored by Lockwave. Alternatively, import existing public keys.

Each key is fingerprinted (SHA-256) and associated with an owner within a team. Keys can be personal (visible only to the owner) or shared (visible to team admins).

Assignments

Map SSH keys to specific hosts and OS users, or deploy them team-wide. Assignments are the core abstraction - they define the desired state of every authorized_keys file in your fleet.

Create or delete an assignment in the dashboard, and the change propagates to all affected hosts on the next daemon sync cycle. No SSH sessions, no manual edits, no forgotten servers.

Revocation

Soft revocation: delete an assignment to remove a key from specific hosts. The key remains available for future use.

Hard block: block a key (temporarily or indefinitely) to immediately prevent it from being deployed anywhere. Blocked keys are removed from all authorized_keys files on the next sync.

Drift Detection

On every sync, the daemon compares the actual authorized_keys file against the desired state from the control plane. Any discrepancy - a manually added key, a deleted key - is reported as drift.

Drift is automatically corrected on the next sync cycle. The control plane is always the source of truth. Drift events are logged for audit.

Break-Glass

In a security incident, activate break-glass to instantly freeze all SSH key deployments for your team. Every daemon will purge all managed keys on the next sync, effectively locking down your entire fleet.

Only Owners and Admins can activate or deactivate break-glass. Every activation and deactivation is recorded with the actor, timestamp, and reason.

Compliance & Audit

Every action - key generation, assignment, revocation, break-glass, team membership changes - is recorded in an immutable audit log. Filter by date, actor, event type, or target resource.

Generate PDF and CSV compliance reports showing exactly who had access to which host at any given time. Designed for SOC 2 and ISO 27001 evidence requirements.

Team Roles

Four roles provide granular access control:

  • Owner - Full control including billing, team deletion, and break-glass
  • Admin - Manage keys, hosts, assignments, and members
  • Member - Manage own keys and view hosts
  • Auditor - Read-only access to audit logs and compliance reports

DSAR Export

Data Subject Access Requests are built in. Any team member can request a full export of their personal data - keys, assignments, audit events, and profile data - in machine-readable format.

Exports are generated as background jobs and made available for download. GDPR Article 15 and Article 20 compliant.

Before & After

Without Lockwave

  • × SSH into each server to add/remove keys
  • × No central record of who has access where
  • × Offboarding takes hours or days
  • × No audit trail for compliance
  • × Unauthorized keys go undetected

With Lockwave

  • Define access once, sync everywhere
  • Full visibility into who can access what
  • Revoke access in under 60 seconds
  • Immutable audit log, PDF/CSV reports
  • Drift detection auto-corrects unauthorized changes

Deploy in Under 5 Minutes

Start free. Install the daemon on your first host and see it sync.

Start Free Trial See Pricing