One question we naturally get asked a lot is how ServerAuth impacts the security of your servers. With a strong background in server management and security, our team has followed and developed industry-leading practices to ensure the highest levels of security when using ServerAuth.
How we access your server
If you are using our 'Basic' agent integration, ServerAuth never has access to your server. We don't even need to know its IP address. This method of access works by your server calling our API to retrieve your team's public SSH keys, and by sending us your server monitoring statistics if you take advantage of this feature.
This is of course a very limited set of features and intentionally allows you to take full advantage of our SSH Key Management service without needing to give away too many details or any kind of access to your server.
The source code for the agent that you install on your server is available publicly on our GitHub account, and can of course be compiled by hand should you wish to be extra safe.
Our advanced integration allows our private backend to perform select tasks on your server, which means we're able to provide a huge number of features that wouldn't be possible with the Basic integration.
For this to work, during the setup process, we ask you to provide us with your server's IP address. To log into your server for the first time we require either a password (which we only use once and do not store), or we'll give you the option of adding our public key.
Once our setup work is done our private backend will have access to your server via a special ServerAuth user, which can perform important security updates and run any requested tasks on your server. This is an 'offline' system with no web access and all credentials stored using industry-standard (sometimes known as "military-grade") encryption (AES-256).
All communication from our private backend is done using TLS, and where possible signed offline with our GPG key.
Due to how our 'closed' system operates our support staff can't access your server without you providing them with a team account. This is by design to ensure the security of your infrastructure.
Your online account
Your online ServerAuth account is hosted on our web servers, securely separated from our server management infrastructure. Your account provides the ability to use Two-Factor Authentication (aka 2FA) to increase account security, something which we strongly recommend enabling.
Your account password is hashed using industry-standard Bcrypt and Argon2. We do not use insecure hashing algorithms (E.g MD5 and SHA1), nor do we at any point store account passwords in plain text.
All payments made via ServerAuth are handled by our payment provider, Stripe who use standard bank-grade encryption. We do not store or transmit your credit/debit card details - this is strictly handled by Stripe.
Team Access Controls
We provide a range of permission-based access controls for your team. This allows you to create and modify user groups, controlling who can access what.