5-day free trial No credit card required

STOP MANUALLY EDITING
AUTHORIZED_KEYS.

Lockwave is a central control plane that enforces SSH key state across your Linux fleet. Define access once, sync everywhere, revoke instantly. Zero inbound ports. Full audit trail.

Start Free Trial Read the Docs

Ed25519 default Zero inbound ports GDPR compliant SOC 2 ready

Three Steps to Enforced Access

From signup to full enforcement in under five minutes.

Define

Generate or import SSH keys in the control plane. Assign them to hosts and OS users. Set team roles and policies.

Poll

Install the lightweight Go daemon on each host. It polls the control plane over outbound HTTPS - no inbound ports, no SSH tunnels.

Enforce

The daemon computes the delta and atomically rewrites authorized_keys. Drift is corrected, unauthorized keys are purged, every change is logged.

Deterministic State Enforcement

When an engineer leaves, you shouldn't be SSHing into hundreds of servers to remove their key. Lockwave replaces that with a single click.

Delete the key or remove the assignment in the control plane. On the next sync cycle, every daemon atomically rewrites its authorized_keys file. The key is gone everywhere - simultaneously, verifiably, irreversibly.

Outbound HTTPS only - no inbound firewall rules
Atomic file writes prevent partial key corruption
Immutable audit log for SOC 2 and ISO 27001

lockwaved.log

time="10:14:02Z" level=info msg="Starting lockwaved v1.0.0"

time="10:14:02Z" level=info msg="Config loaded from /etc/lockwave/config.yml"

time="10:14:03Z" level=info msg="Authenticating with control plane..."

time="10:14:03Z" level=info msg="Authenticated. Host: hst_9f8a7b6c"

time="10:14:05Z" level=info msg="Polling desired state..."

time="10:14:05Z" level=info msg="State received: 3 active, 1 revoked"

time="10:14:05Z" level=warn msg="Drift: unauthorized key SHA256:xYzA..."

time="10:14:05Z" level=info msg="Acquiring file lock on authorized_keys"

time="10:14:05Z" level=info msg="Atomic rename complete. State enforced."

time="10:14:05Z" level=info msg="Sleeping 60s..."

Built for Zero Trust

Every component is designed with security as the primary constraint. No private keys stored. No inbound network access.

Instant Revocation

Offboard an engineer and their SSH access is revoked across every host within the next sync cycle. No manual cleanup, no forgotten servers.

Outbound-Only Daemon

A statically compiled Go binary that polls via outbound HTTPS. No SSH tunnels, no inbound ports, no attack surface expansion.

Break-Glass Controls

Suspected breach? Trigger a global freeze. Every daemon purges all managed keys immediately, locking down your infrastructure until you give the all-clear.

Drift Detection

Someone manually added a key to authorized_keys? The daemon detects the drift, corrects it, and logs a security event. The control plane is always the source of truth.

Atomic Enforcement

POSIX file locking and atomic rename operations ensure authorized_keys is never left in a corrupted or partially-written state. No race conditions.

Compliance Ready

Generate PDF and CSV reports showing exactly who had access to which host and when. Immutable audit log provides the evidence SOC 2 and ISO 27001 auditors expect.

Simple, Transparent Pricing

Start free with 3 hosts. Scale to enterprise with unlimited hosts, SSO, and custom SLAs.

Free

3 hosts, 5 keys

Standard

25 hosts, 50 keys

Business

100 hosts, unlimited

Enterprise

Unlimited, SSO

Compare Plans

Ready to enforce your key policy?

Start free. No credit card required. Deploy the daemon on your first host in under 5 minutes.