HARDWARE-BACKED FEDERATED IDENTITY

Secure Linux Access
for the Agentic Era.

Prmana replaces static SSH credentials with hardware-backed, ephemeral identity — covering the dev boxes, CI runners, edge nodes, and AI agents that your gateway doesn't reach.

Why Prmana Get Started

THE PROBLEM

Your gateway covers the front door.
The back yard is wide open.

Static Keys

SSH keys get copied, shared, and never rotated. That key from 2019 on a developer's laptop? Still works.

No MFA

You need MFA for email but not for root access to production. Enterprise identity stops at the browser.

Offboarding

When someone leaves, finding all their access is archaeology. authorized_keys scattered across servers.

THE APPROACH

OIDC at the host. No gateway in between.

Prmana brings your existing IdP (Okta, Azure AD, Keycloak, Auth0) to Linux PAM. Users authenticate once through SSO, and every token is cryptographically bound to the client via DPoP (RFC 9449) — stolen tokens are useless without the private key.

✓ Direct-to-host — no proxy or gateway
✓ DPoP proof-of-possession, not bearer tokens
✓ Works with your existing IdP and SSSD

✓ Hardware key binding (YubiKey, TPM 2.0)
✓ Break-glass access built in
✓ Apache-2.0 — no vendor lock-in

TRUST & COMPLIANCE

Audit-Ready by Design.

Prmana generates the cryptographic evidence required for modern compliance frameworks. From SOC 2 to NIST 800-63B, we provide the tamper-evident audit trail your CISO demands.

AAL3 Aligned

Hardware-bound DPoP keys align with NIST SP 800-63B AAL3 when IdP enforces hardware-backed MFA.

OCSF Native

Structured audit logs follow the Open Cybersecurity Schema Framework for portable security telemetry.

FIPS-Compatible

Built on aws-lc-rs cryptographic primitives with available FIPS 140-2 validated modules.

SLSA L3

Full supply chain attestation for our build process, ensuring binary integrity.

Secure the Entrance.

CAPABILITY

PRMANA CORE (OSS)

Identity Model

Human OIDC

Hardware Binding

DPoP (RFC 9449)

Audit Engine

Local OCSF

Revocation

Manual (Local)

Automation

Local Config

ZERO-TRUST FOUNDATION

The Architecture of Evidence.

Prmana doesn't trust bearer tokens. Every authentication token is cryptographically bound to the client's hardware via DPoP (RFC 9449) — with TPM 2.0 keys that are physically non-exportable.

Memory Protection

Ephemeral P-256 keys are generated in heap space protected by mlock(2), ensuring private keys never touch the swap disk or core dumps.

Hardware Attestation

Cryptographic proof of identity is bound to physical silicon via TPM 2.0, creating an immutable link between the user and their hardware.

Engineered to International Standards.

RFC 9449 OAuth 2.0 DPoP

RFC 8628 Device Authorization

FIPS 204 Post-Quantum ML-DSA

NIST 800-63B AAL3 Authentication

RFC 7638 JWK Thumbprint

OCSF 1.3 Security Event Schema

Latest from the Edge.

Philosophy

Why SSH Keys are the Ghost Credentials of your Fleet.

Exploring the massive gap between probabilistic identity and deterministic hardware evidence.

Protocol

DPoP: The Modern Web Standard comes to the Linux Terminal.

A deep dive into RFC 9449 and the end of bearer token theft in the terminal.

Your gateway covers the front door.The back yard is wide open.