Request a demo

Trust at the edge · trust lives in the credential

Fleet access that works offline

An engineer logs in with a cryptographic credential. Identity, role and the binding to a specific device are baked into the certificate itself — the device validates everything locally, with no call home at login time.

Request a demo GitHub
Diagram: a dashed offline boundary separates the network side — Control and Codes servers (policy, issuance, audit) — from an ATM device where login and validation happen on the spot. Caption: no network, yet login, validation and accountability remain.
fig. 1 — the offline boundary: server on the left, device on the right, trust in the credential

01 · Problem

Thousands of devices. Two bad options.

ATMs, CNC machines, substations — a fleet of thousands of devices with no reliable connectivity. How do engineers get access?

Option A

One shared account everywhere

A single password for the whole fleet. Zero accountability: the log shows a shared account, not a specific engineer. Revoking one engineer means rotating the password on thousands of devices.

Option B

Personal accounts on every device

N engineers × M devices. Every hire, departure and rotation becomes a fleet-wide update. On an offline fleet this is unmanageable by construction.

The third way — Tessera

One technical account + identity in the credential

The device keeps a single account. Who logged in, under which role and for how long is written into the credential itself. Full accountability without N×M.

What about classic PAM? Vault, Teleport and PASM-class bastions require the control plane to be reachable at login time: no connectivity — no access (or a workaround hole). On a zero-egress fleet they don't work by design.

02 · How it works

Five steps — from policy to revocation

  1. Issuance

    An administrator sets the policy: roles, devices by tag, validity period. The CA issues a short-lived certificate with the rights inside — onto a USB key protected by a PIN.

  2. Login

    The engineer plugs in the key and picks a role. Engine locally verifies the signature, host binding (this exact device), validity period and permitted roles — without a single network request.

  3. Session

    The session opens at exactly the requested role — least privilege, even if the certificate allows more. The engineer's identity is fixed in the credential.

  4. The token stays in control

    Pull the key out — the session ends. udev monitoring watches the medium: no token, no session.

  5. Revocation

    CRL, live-session revocation, device quarantine. The offline backstop: the certificate expires on its own TTL — hours or a shift, not months.

Certificate login diagram: the engineer's USB key holds a certificate and a PIN-protected key; Tessera Engine locally runs five checks — CA signature, host binding, TTL and CRL, roles, proof of possession — and opens an oper session. The network behind the dashed boundary is not needed.
fig. 2 — certificate login: five checks, zero network requests

03 · Capabilities

Every claim is a mechanism, not a promise

Cryptography

X.509 + PKCS#11

Hardware tokens (Rutoken / JaCarta with GOST algorithms) — or a PIN-protected container on a plain USB stick. Standard formats, no vendor lock-in.

Device

Host binding

The credential is bound to one specific device. A stolen USB key is useless on the ATM next door — Engine rejects it locally.

Time

Short-lived credentials

TTL of hours or a shift. Even with no link to the center, access expires on its own: time works for the defender, not against them.

Rights

Roles and enforcement

The role in the credential becomes real constraints: Astra mandatory integrity controls, groups, sudoers, systemd limits. Not "access in general" — exactly the level needed.

Revocation

CRL and revocation

Revocation is forever: a monotonic crlNumber prevents replaying an older list. Live sessions get revoked; a device can be quarantined.

Audit

Tamper-evident audit

The on-device journal is a hash chain: every record is stitched to the previous one, so tampering shows. For air-gapped sites — export by courier media.

Scale

Delegated issuance

Intermediate CAs for branches and contractors — inside name constraints the device verifies offline. A delegate cannot step outside its boundaries.

Compliance

GOST and certification

GOST cryptography with certified modules (CryptoPro CSP, Rutoken) for FSTEC-regulated environments. First target platform — Astra Linux SE.

Network

Hybrid fleets

When connectivity exists, a sync agent pulls roles and CRLs (pull-only). Network degradation changes data freshness — never the security model.

04 · Scenarios

Where this is needed today

ATMs · zero-egress

A fleet with no outbound connections at all

USB key → pick a role → log in with no network. Revocation on the server side is instant; on the offline fleet it is guaranteed by TTL.

Defense industry · CNC

An isolated shop floor

The shift operator signs in under the oper role, the service technician under serv — each with their own credential, rights set by the role. A tamper-evident journal lives on the device itself; the regulator gets a USB export.

Energy · contractor

Access under a work order

The contractor scans a QR code with a phone, the dispatcher approves online (four-eyes), and access lasts only for the duration of the work. The device itself never touches the network.

QR login diagram: the ATM shows a QR with device_id and nonce; the phone scans it and passes SSO/2FA; the issuance PDP checks the work order, shift window, four-eyes and device status (AND, fail-closed) and returns a MAC code; the engineer types the code, Engine verifies the MAC locally and opens the session.
fig. 3 — QR login: the phone is online, the device is not
Critical infrastructure · GOST

Regulated environments

One technical account on the device, login with a GOST token. issuance_id ties issuance → login → actions → termination into a single provable thread.

Audit diagram: the chain issuance — credential — session — termination is linked by an end-to-end issuance_id; the device journal is a hash chain where a cut-out block breaks the chain and is detected; Control reconciles anchors and raises security and gap alerts.
fig. 4 — audit: one correlation thread, one unbroken journal chain

05 · Comparison

Tessera vs classic PAM and bastions

The difference is not a feature list — it's the architecture: where the access decision lives.

Comparison of Tessera with classic PAM solutions and bastion hosts
Criterion Classic PAM / bastions Tessera
Offline fleet Require the control plane to be reachable at login Works with no network; the server is an accelerator, not a precondition
Network degradation A trade-off: fail-open (a hole) or fail-closed (an outage) Fail-closed by design + TTL backstop: valid access keeps working
Zero-egress ATMs Not applicable The target segment
Short-lived access A server-side policy — the server must be there to enforce it TTL inside the credential — expires with no one's involvement
Delegation RBAC on the server Name constraints in the certificate — boundaries verified offline
Load on the center Every login is a request to the center Issuance and sporadic CRLs only

06 · Resilience

A component failure is not a hole

Server unreachable? Login with valid certificates keeps working; expired ones don't get renewed. Fail-closed by design. Security is identical with or without the server — the server adds scale and data freshness, not security.

Degradation table: if Codes is down, only new QR-code issuance is lost; if Control is down — CRL freshness and commands; months offline is the normal mode; an attack on the delivery channel yields at most a DoS. Login, enforcement, audit and TTL revocation keep working in every case. There is no fail-open.
fig. 5 — degradation: what failed → what keeps working

07 · Open core

Open core, commercial management

Open AGPL-3.0

  • Tessera Engine — validation + enforcement
  • Tessera Login — PAM module
  • Certificate login
  • Basic roles: groups, sudoers
  • Hash-chain audit on the device

Commercial enterprise

  • Tessera Control — fleet management, CRL, inventory
  • Tessera Codes — one-time QR codes
  • Astra mandatory-integrity adapter
  • SELinux adapter
  • Central audit intake + SIEM export
  • GOST FFI
  • Windows adapter roadmap

The principle: formats and verification are open — everything the device checks can be audited. Generation, delivery and fleet management are commercial.

Let's discuss a pilot

We'll show offline login on your scenario: ATMs, a shop floor, substations. Tell us about your fleet — we'll come back with specifics on the mechanism.

Discuss a pilot GitHub Documentation