Ephemera
A Zero-Trust SSH Certificate Authority
Ephemera is a sovereign, air-gapped SSH Certificate Authority designed to replace static keys with short-lived, identity-bound certificates. No long-lived private keys on user devices. Certificates are issued just-in-time and expire automatically.
User
→
WebAuthn
→
Short-lived cert
→
SSH
→
Logged sudo
Properties
- Zero-Trust — No permanent SSH keys. Certificates expire in minutes.
- WebAuthn MFA — Phishing-resistant authentication via hardware keys or biometrics.
- JIT Sudo — Privilege escalation requires fresh MFA approval, logged centrally.
- Tamper-Evident Audit — Merkle-chained ledger. History cannot be rewritten without detection.
- Sovereign Recovery — Shamir secret sharing for encrypted backups. No cloud dependency.
YubiKey / WebAuthn Setup
Ephemera uses WebAuthn-compatible hardware keys (such as YubiKey) to enforce physical presence for SSH certificate issuance and sudo approval. Learn more in our WebAuthn Guide.
- Run
ephemera login - When prompted, insert and touch your YubiKey
- The credential is registered and bound to your account
- Future SSH renewals and sudo approvals require physical presence
Documentation
- Architecture — Components and trust zones
- Threat Model — Non-goals and accepted risks
- CLI Workflow — Commands and configuration
- Disaster Recovery — Backup and restore procedures
Ephemera is open source under the Apache 2.0 license.
codeberg.org/Qarait1/ephemera