Tessell's NATS deployment uses NKeys authentication, a highly secure public-key signature system based on Ed25519.
With NKeys, the server can verify identities without ever storing or seeing private keys. The authentication system requires a connecting client to provide its public key and digitally sign a challenge with its private key. The server generates a random challenge with every connection request, making it immune to playback attacks. The generated signature is validated against the provided public key, thus proving the client's identity. If the public key is known to the server, authentication succeeds.
We have also built an additional authorization layer on TGS RPCs to prevent impersonation and provide access controls.
Furthermore, the NATS communication over the wire (Agent -> NATS Server) is not only secure with NKeys authentication and an additional authorization layer, but also protected with the industry-standard TLS encryption. This ensures that your data remains private and secure, instilling confidence in the security of our NATS deployment.
Below are the Authentication & Encryption mechanisms for the other endpoints.
Metric Collection (Monitoring Endpoints)
Authentication: OIDC (OpenID Connect) based AuthN (Client Credentials Grant) using KeyCloak
Encryption: TLS (HTTPS)
Genie Connections
Authentication: OIDC (OpenID Connect) based AuthN (Client Credentials Grant) using KeyCloak
Encryption: TLS for controls & SSH (over TCP tunnel) for support sessions
Logging (Agent Logs)
Authentication: AWS IAM based AuthN
Encryption: TLS (HTTPS)