Encryption & Data Privacy
Your data. Your keys.
Zero knowledge.
HostAtlas encrypts data at every layer — in transit, at rest, and in backup. Agent communication is signed with HMAC-SHA256 and transported over TLS 1.3. Offsite backups use AES-256-GCM with client-side encryption, meaning we never see your data in plaintext. API keys are stored as SHA-256 hashes. Sensitive data is filtered before it leaves your server.
TLS 1.3
Transport encryption
AES-256
GCM backup encryption
SHA-256
Token & key hashing
HMAC
Request signing
Agent Communication
TLS 1.3, HMAC-SHA256 signing, and replay protection.
Every request from the HostAtlas agent to the platform is encrypted with TLS 1.3 and signed with HMAC-SHA256. The signature is computed from the request body and a shared secret derived from the agent's authentication token. The platform verifies the signature, checks a timestamp-based nonce for replay protection, and rejects any request that fails validation.
TLS 1.3 Only
No fallback to TLS 1.2 or older versions. The agent uses Go's native TLS implementation with strict certificate validation. MITM attacks are not possible.
HMAC-SHA256 Signing
Each request includes an X-Signature header containing the HMAC-SHA256 of the request body. The platform recomputes the signature server-side and rejects mismatches.
Replay Protection
Each request includes a timestamp-based nonce. The platform rejects requests older than a configurable window (default: 60 seconds), preventing captured requests from being replayed.
Outbound-Only
The agent never opens inbound ports. All communication is initiated by the agent, polling the platform for commands and pushing metrics. No SSH, no reverse tunnels, no open ports.
Request Signing Flow
1. Agent builds request
POST /api/agent/metrics
Content-Type: application/json
X-Timestamp: 1712150400
Body: {"cpu": 24.5, "mem": 67.2}
2. Compute HMAC-SHA256
message = timestamp + body
signature = hmac_sha256(secret, message)
X-Signature: a1b2c3d4e5f6...
3. Platform verifies
✓ TLS 1.3 connection valid
✓ HMAC signature matches
✓ Timestamp within 60s window
✓ Token hash matches stored hash
Backup Encryption Model
Your Server
Step 1: Generate encryption key
AES-256-GCM key generated locally
Step 2: Encrypt backup data
Data encrypted before leaving server
Step 3: Upload ciphertext
Only encrypted bytes transmitted
Hetzner S3 (EU)
Ciphertext stored. Key not present.
HostAtlas cannot decrypt your data.
Offsite Backups
AES-256-GCM. Client-side encryption. Key never leaves your server.
HostAtlas offsite backups use true client-side encryption. The encryption key is generated on your server and never transmitted to the platform. Data is encrypted locally using AES-256-GCM before it leaves your server. What we store on Hetzner S3 is ciphertext — we have zero knowledge of its contents. Even if our storage were compromised, your data would remain protected.
AES-256-GCM
Authenticated encryption that provides both confidentiality and integrity. If a single bit of the ciphertext is modified, decryption fails entirely — protecting against tampering.
Zero-Knowledge Architecture
The encryption key exists only on your server. HostAtlas has no copy, no escrow, no recovery mechanism. You control your data completely.
Ransomware Gate
Shannon entropy analysis detects ransomware-encrypted files before they enter the backup chain. Suspicious entropy spikes freeze the backup schedule to protect clean copies.
API Keys & Tokens
SHA-256 hashed. Timing-safe comparison. Shown once.
Agent tokens and API keys are never stored in plaintext. When a token is created, it is hashed with SHA-256 and only the hash is persisted in the database. The raw token is displayed once to the user and never stored. Token validation uses constant-time comparison to prevent timing side-channel attacks.
SHA-256 Hashing
Every API key and agent token is stored as a SHA-256 hash. If the database were compromised, attackers would have hashes, not usable tokens. SHA-256 is irreversible — the original token cannot be derived from the hash.
Timing-Safe Comparison
Token validation uses constant-time comparison (hash_equals). This prevents timing attacks where an attacker measures response time to determine how many bytes of a token prefix are correct.
Shown Once
The raw token is displayed exactly once at creation time. There is no "show token" button, no email with the token, no way to retrieve it later. If lost, the token must be revoked and a new one generated.
Sessions & Cookies
Encrypted sessions. HTTPOnly. Secure. SameSite.
HostAtlas uses encrypted, server-side sessions. Session cookies are set with HTTPOnly (not accessible to JavaScript), Secure (only sent over HTTPS), and SameSite=Lax (CSRF protection). Session data is encrypted at rest and decrypted only on the server during request processing.
HTTPOnly Flag
Session cookies cannot be accessed by client-side JavaScript. This eliminates the most common XSS-based session hijacking vector.
Secure Flag
Cookies are only transmitted over HTTPS connections. No session data is ever sent over unencrypted HTTP, even if the user somehow accesses a non-TLS endpoint.
Encrypted Session Data
Session payload is encrypted using the application encryption key. Even if session storage were compromised, the data would be unreadable without the key.
Session Cookie Headers
Set-Cookie:
hostatlas_session=eyJpdiI6Ik1qQ...;
Path=/;
HttpOnly;
Secure;
SameSite=Lax;
Max-Age=7200;
Security Headers
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'
Database & Tenant Isolation
No cross-tenant data access. Enforced at every layer.
Every database query is scoped to the authenticated team using global query scopes. This is not a UI-level filter — it is enforced in the ORM layer, meaning even internal code cannot accidentally query another team's data. Agent tokens are bound to a single team. API keys are scoped to a single team. There are no admin endpoints that bypass tenant isolation.
Query-Level Isolation
Global scopes automatically append WHERE team_id = ? to every query. This cannot be bypassed by the application without explicitly removing the scope, which is code-reviewed and audited.
-- Every query includes team scope
SELECT * FROM servers
WHERE team_id = 'uuid-abc'
AND status = 'online';
UUID Resource Identifiers
All resources use UUID v4 identifiers instead of auto-incrementing integers. This prevents enumeration attacks and makes it impossible to guess valid resource IDs by incrementing a counter.
/api/servers/1
enumerable/api/servers/a3b8f7c2-...
UUID v4Sensitive Data Filtering
Cron commands sanitized. SSL keys excluded. Secrets filtered.
The HostAtlas agent is designed to never transmit sensitive data. Cron job commands that contain passwords or tokens are sanitized before being sent to the platform. SSL private keys are never read or transmitted. Log lines matching sensitive patterns (API keys, passwords, tokens) are filtered at the agent level before they leave your server.
Cron Command Sanitization
Environment variables and inline credentials in cron commands are redacted before transmission. You see the schedule and script path, not the database password embedded in the command.
SSL Key Exclusion
The agent reads SSL certificate metadata (expiry date, issuer, domain) but never reads or transmits the private key. Private keys are excluded from all file scanning operations.
Log Line Filtering
Log lines containing patterns matching API keys, Bearer tokens, passwords, and other sensitive strings are filtered at the agent level. The line is either redacted or excluded entirely.
Filtering Examples
Cron command (before)
mysqldump -u root -pS3cr3t! mydb > /backup/db.sql
Cron command (after sanitization)
mysqldump -u root -p[REDACTED] mydb > /backup/db.sql
Log line (before)
Authorization: Bearer sk_live_a1b2c3d4e5f6
Log line (after filtering)
Authorization: Bearer [FILTERED]
SSL certificate handling
✓ Reads: expiry, issuer, CN, SANs
✗ Never reads: private key file
Get Started
Your infrastructure, encrypted at every layer.
TLS 1.3, HMAC-SHA256, AES-256-GCM, SHA-256 hashing, zero-knowledge backups, and sensitive data filtering — all included on every plan. Free for up to 3 servers. No credit card required.