Zero-Trust as a Methodology - Enforced Through Hardware-Backed Identity -Yubikey
We incorporate Zero-Trust as a methodology. It is a security philosophy built on never trust, always verify, and strict least-privilege access. In our workflow, this methodology is implemented through hardware-backed identity using YubiKeys. Engineers identity, authentication, and authorization is tied to a physical, non-extractable private key that requires both a PIN and a human touch for every operation. This ensures that access cannot be delegated, shared, phished, or silently used by compromised machines.
Combined with Keycloak, Teleport, and Netbird, YubiKeys allow us to enforce true Zero-Trust principles across servers, clusters, and internal services, ensuring that every action is explicitly verified, tied to an individual, logged and limited to the minimal scope required.
We provide 3 ways for secure access to Linux servers and Kubernetes clusters.
No matter which option you choose, we strongly recommend restricting their network connectivity to only the systems we manage, following the principle of least privilege.
We provide two hardened SSH access methods:
A small VM inside your network establishes an outbound SSH-only tunnel to our infrastructure. All access through this tunnel is authenticated exclusively with SSH keys stored on YubiKeys (touch required, with 8-digit PINs).
This version does not create an outbound connection. Instead, it listens on port 22 inside your network and is reachable only from our fixed, dedicated IP addresses in Denmark, Germany, and Finland, ensuring redundancy.
Both bastion models can run on an isolated VM or inside your Kubernetes cluster for high availability.
As an alternative to SSH bastions, we can deploy Netbird - an open-source VPN that uses the Wireguard protocol.
Netbird integrates directly with Keycloak, allowing centralized authentication, MFA, and fine-grained access policies without relying on static credentials.
Access rights are tied to user identities, and all activity can be audited via Netbird and Keycloak, providing strong security and complete visibility.
For Kubernetes access we use identity-aware, hardware-backed access methods - and enable OIDC authentication via Keycloak on Kubernetes API.
For Linux server access, we enable authentication using SSH keys - each mapped to an individuals Yubikey.
Teleport provides secure, centralized access to Kubernetes with:
All Teleport traffic flows through gateways deployed in your environment.
We are typically granted cluster-admin or operator-level permissions to ensure we can troubleshoot and resolve issues without waking you up. However, you retain full control over the final access levels.
If passwords or other credentials are required, they are stored using our private repo, managed using passwordstore.org open source software, backed by our Yubikey hardware tokens:
Whenever possible, we avoid passwords entirely and prefer Keycloak or hardware-based authentication.
Whether via Teleport or Netbird, you receive full visibility into:
Logs can be integrated into your monitoring and logging systems as well as ours.