Key-Based Authentication — GaraTrust

Key-Based Authentication

Authenticate with keys
that never leave your control.

Give every user and machine a non-exportable cryptographic identity and govern it from one place — across SSH, TLS, cloud, and every other protocol that reaches a privileged resource.

Challenge Signature only User or Machine Authenticates via GaraTrust + MFA GaraTrust + HSM private key — never leaves Privileged Server Validates signature, grants access

The problem

The credentials that unlock everything, are the hardest to find.

The keys that reach critical systems are scattered across laptops, servers, config files, and CI pipelines. Many can be exported, copied, and reused. Few are centrally inventoried — and fewer still are fully auditable.

The gap widens with every new access method. Teams secure one or two protocols, usually SSH, and leave VPN, RDP, database, and cloud access on inconsistent, manual controls. Orphaned keys outlive the people they belonged to. And when something goes wrong, no one can say which key was used, by whom, or when.

Exportable

Copied keys are a standing target — and a risk that follows departing employees out the door.

Unmanaged

No central place to grant, rotate, or revoke access across endpoints and servers.

Unaudited

Proving who accessed what means stitching together logs from a growing sprawl of systems.

One identity layer, four guarantees.

Underneath modern access protocols sits the same foundation: public-key cryptography. GaraTrust issues a cryptographic identity to every user and machine and governs how it's used — with no application rewrites and no server reconfiguration.

Identity for humans and machines

Every user and server gets a key pair and certificate — a standard identity and, where needed, a separate privileged one — so each request ties to a verifiable identity, not a shared secret.

Keys that stay non-exportable

Identity keys live in an HSM and are used by proxy — users authenticate through GaraTrust without ever possessing the key bytes. There's no exported credential to copy, leak, or steal.

Policy at the moment of use

MFA, device authentication, approval workflows, IP allowlisting, and Just-in-Time access — keys disabled by default, enabled only on approval. The server just sees a valid signature.

One audit across everything

Every key use is logged — who, what, when — across all protocols. Audits that meant aggregating logs from dozens of servers become a single query.

A single authentication, end to end

1

The server issues an authentication challenge.

2

The client authenticates to GaraTrust and forwards it.

3

The HSM signs the challenge — the key never leaves.

4

The server validates the signature and grants access.

Protocol coverage

Every protocol, one identity layer.

The same platform covers what teams use today and what they add next — no separate tool for each.

Core protocols
SSHSecure Shell

SSH keys sprawl across laptops and servers, are rarely rotated, and almost never sit in a central inventory. GaraTrust keeps SSH identity keys in the HSM and uses them by proxy — MFA and Just-in-Time access on every session, with a full audit trail. Existing OpenSSH clients and servers keep working unchanged.

MFAJust-in-TimeFull audit
TLS / mTLSService Identity

Service-to-service authentication relies on certificates and private keys spread across hosts and config files, making machine identity hard to govern at scale. GaraTrust issues and governs mTLS identities centrally, keeps the private keys non-exportable, and enforces which services may authenticate as whom.

Machine identityCentral policy
Cloud APICloud & API Access

Long-lived, static API keys and tokens sit in config files, CI/CD variables, and laptops — easy to leak, hard to rotate. GaraTrust binds cloud and API access to non-exportable cryptographic identity with central policy, Just-in-Time enablement, and full audit, so there's no static secret to copy or lose.

No static secretsJIT enablement
Also covered
RDPRemote Desktop

The same key-based, MFA-enforced, audited access for Windows remote sessions — no exported credentials to harvest.

VPNNetwork Access

Cryptographic identity and central policy replace static VPN credentials, with Just-in-Time access for privileged tunnels.

DatabasePrivileged DB Access

Govern privileged database connections through the same non-exportable identity and audit layer used everywhere else.

Connected workflows
Source Code Repo Access

Git access and commit signing live alongside our software supply chain work, where code provenance is enforced end to end.

Explore supply chain
Secrets Management

GaraTrust works alongside your secrets manager: it stores the secrets, we enforce how cryptographic keys are used and audited.

What point tools for one protocol can't give you.

Strengthen authentication everywhere at once — without slowing teams down or forcing a rebuild.

Keys never leave hardware

Identity keys stay non-exportable and HSM-backed at all times. No key material on endpoints to steal.

No rip-and-replace

Works with the clients, servers, and identity providers you already run, with SSO and no application changes.

Sub-second by design

A client-side hashing architecture keeps authentication fast at any scale.

Deploy your way

On-premises, in the cloud, or hybrid — on infrastructure you control.

Crypto-agile

Classical, hybrid, and post-quantum algorithms, so you adapt as standards evolve.

One platform, many uses

The same identity layer extends across SSH, TLS, VPN, RDP, and beyond.

Get started

See it on your own infrastructure.

Walk your access protocols with a GaraTrust expert and see how cryptographic identity replaces the credentials you can't currently see.