Ephemera

A Zero-Trust SSH Certificate Authority

Ephemera is a sovereign, air-gapped SSH Certificate Authority designed to replace static keys with short-lived, identity-bound certificates. No long-lived private keys on user devices. Certificates are issued just-in-time and expire automatically.

What Ephemera Is

Ephemera is a self-hosted SSH Certificate Authority built on native OpenSSH features. It replaces long-lived SSH keys with short-lived certificates issued just-in-time, with explicit physical presence and auditable privilege escalation.

It is designed for teams that want centralized SSH governance without MITM proxies, custom protocols, or cloud dependencies.

What Ephemera Is Not

Not an SSH proxy or MITM gateway : Ephemera is not a shim or gateway. It operates solely at the certificate issuance and policy level.

Not a PAM replacement : While it integrates with PAM for sudo approval, it does not replace the system's underlying authentication modules.

Not a runtime monitoring tool : It does not monitor active SSH sessions or network traffic.

Not a cloud service : Ephemera is exclusively self-hosted for maximum sovereignty.

Not a SIEM : It is a CA with audit capabilities, not a security information and event management platform.

Why Ephemera?

Traditional SSH relies on long-lived private keys spread across laptops and servers. Once a key leaks, access persists until you discover it and rotate keys everywhere. Ephemera replaces static keys with short-lived certificates that expire automatically, shrinking the window of misuse from months to minutes.

Status

Core SSH CA : Production ready (v3.3.0)

Fuzz Soak : 1,000,000 internal iterations passed (0 mismatches)

OpenSSF Best Practices : Passing

Architecture

User + WebAuthn
    → Ephemera CA (policy, signing, ledger)
        → SSH servers (TrustedUserCAKeys)
        → Audit log (tamper-evident chain)

Full architecture documentation →

User → WebAuthn → Short-lived cert → SSH → Logged sudo

Properties

Zero-Trust : No permanent SSH keys. Certificates expire in minutes.

WebAuthn MFA : Phishing-resistant authentication via hardware keys or biometrics. (Setup guide)

JIT Sudo : Privilege escalation requires fresh MFA approval, logged centrally.

Tamper-Evident Audit : Merkle-chained ledger. History cannot be rewritten without detection.

Sovereign Recovery : Self-hosted backups with Shamir secret sharing. No cloud dependency.

Experimental: Trust Budgeting (Opt-in)

Ephemera can optionally enforce issuance-time trust budgets to limit cumulative privileged authority. This is a governance mechanism, not a runtime control or security guarantee.

Operates only at certificate issuance time
Introduces no runtime monitoring or agents
Disabled by default
Experimental : may change or be removed

Read the Trust Budgeting documentation →

Get Started

Read Threat Model : Security assumptions and non-goals
Review Architecture : Components and trust zones
Try CLI Workflow : Local deploy and first certificate
Explore Trust Budgeting : Governance primitive (experimental)

Documentation

Architecture : Components and trust zones
Threat Model : Non-goals and accepted risks
CLI Workflow : Commands and configuration
Disaster Recovery : Backup and restore procedures

Ephemera is open source under the Apache 2.0 license.
codeberg.org/Qarait/ephemera