Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Background image
Teleport Access Platform

Security at Teleport

Teleport is dedicated to trusted, contemporary security. We're thankful for the high level of trust our customers place in Teleport when they choose to secure their critical infrastructure using our products.
Teleport security shield

Security Team

Teleport maintains a cross-functional security team dedicated to:

  • Teleport code, dependency, and supply chain vulnerability detection and response
  • Teleport Cloud Security
  • Corporate IT Security
Security Team

Reporting a Vulnerability

If you have any questions, please contact us. We are deeply grateful to researchers and our community who report issues so that we can coordinate a fix and responsible disclosure.

Security Commitments

We make the following security commitments:
  • Proactive Detection

    We contract and publish third-party security audits of our products and platform annually. Our previous reports are available on our Trust page. Furthermore, Teleport conducts regular security vulnerability scanning of our code and infrastructure using tools like Dependabot and Trivy.
  • Disclosure

    We notify customers of critical vulnerabilities that affect the security of their systems. Prior vulnerability disclosures are found in our Teleport Release Notes.
  • Response

    All security issues are rapidly triaged by our security team. Critical and high severity security findings trigger a formal incident response.
  • Privacy

    As part of our security stance, we protect our customers’ and partners’ privacy. Find our privacy policy at https://goteleport.com/legal/privacy.
  • Compliance

    We maintain SOC 2 Type II, ISO 27001, and HIPAA Security Rule compliance for our cloud and self-hosted products, which can be provided under NDA. Additionally, we further commit to our Security Addendum, which covers policy, security, confidentiality, access controls, management, incident response, and more to detail how we protect customer data.

Public Certificates & Encryption Keys

We use the following certificates and public keys to sign our software. Many of these keys and certificates use our legal business name “Gravitational Inc.” and our former domain “gravitational.com”. Don’t worry – Gravitational is Teleport.
RPM & Debian Signing Keys
We sign our RPM and Debian repositories with the following PGP key:
  • ID 6282C411
  • Fingerprint 0C5E 8BA5 658E 320D 1B03 1179 C87E D53A 6282 C411
See the following pages for information on using this key to verify downloaded packages:
Apple Signing Certificates
Our Apple packages and binaries are code signed by "Developer ID QH8AA5B8UP Gravitational Inc." with the following certificate:
  • SHA256 Fingerprint 78 2F E1 18 5F A1 AD 68 AD 25 0B A9 4D 21 DC BB 0D 8E 47 C6 E4 1D FE FB AB 05 41 33 4C 33 1D 43
  • SHA1 Fingerprint 82 B6 25 AD 32 7C 24 1B 37 8A 54 B4 B2 54 BB 08 CE 71 B5 DF
Packages published prior to September 14, 2021 are signed with an older certificate for the same Developer ID (QH8AA5B8UP):
  • SHA256 Fingerprint 78 05 14 69 20 59 21 D1 EE 96 42 01 5A 28 35 FB E1 D4 38 5E 2A 23 5D 62 73 A4 D1 27 8A 33 BA 34
  • SHA1 Fingerprint D2 70 EA 0C F2 0E CB 17 28 B2 21 E1 D5 B6 7C FE 50 FF AB 62
Verify the Developer ID and fingerprint match on package downloads with the pkgutil tool:
$ pkgutil --check-signature teleport-7.1.2.pkg Package "teleport-7.1.2.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2021-09-15 00:49:03 +0000 Certificate Chain: 1. Developer ID Installer: Gravitational Inc. (QH8AA5B8UP) Expires: 2026-07-27 18:27:29 +0000 SHA256 Fingerprint: 78 2F E1 18 5F A1 AD 68 AD 25 0B A9 4D 21 DC BB 0D 8E 47 C6 E4 1D FE FB AB 05 41 33 4C 33 1D 43 ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24
The codesign tool can be used to perform the verification on individual binaries:
$ codesign --verify -d --verbose=2 /usr/local/bin/tsh ... Authority=Developer ID Application: Gravitational Inc. (QH8AA5B8UP) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jul 30, 2021 at 1:44:06 PM Info.plist=not bound TeamIdentifier=QH8AA5B8UP ...
The Teleport package in Homebrew is not maintained or signed by Teleport. We recommend the use of our Teleport packages.
Windows Signing Certificates
Our Windows binaries are signed with the following certificate:
  • Issued to Gravitational Inc.
  • Thumbprint F2FBE7B8228122EB74DE2DC093DB81F8E6896253
Verify the binary using the following PowerShell command:
Get-AuthenticodeSignature -FilePath .\tsh.exe Directory: C:\Users\ExampleUser SignerCertificate Status Path ----------------- ------ ---- F2FBE7B8228122EB74DE2DC093DB81F8E6896253 Valid tsh.exe
Ensure that the SignerCertificate matches the thumbprint shown above, and that the Status field is Valid.
To further inspect the certificate, run the following PowerShell command:
(Get-AuthenticodeSignature -FilePath.\tsh.exe).SignerCertificate | Format-List Subject : CN=Gravitational Inc., O=Gravitational Inc., L=Oakland, S=California, C=US Issuer : CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Thumbprint : F2FBE7B8228122EB74DE2DC093DB81F8E6896253 FriendlyName : NotBefore : 11/8/2020 5:00:00 PM NotAfter : 11/14/2023 4:59:59 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
Alternatively, Windows binaries may be inspected graphically via the Windows Explorer with the following steps:
  1. Right click on the binary in question, for example tsh.exe.
  2. Select “Properties”.
  3. On the resulting “tsh.exe Properties” dialog, select the “Digital Signatures” tab.
  4. Select the “Gravitational Inc.” signer from the list.
  5. Select the “Details” button.
  6. On the resulting “Digital Signature Details” dialog, ensure that the header states “This digital signature is OK.”
  7. Select the “View Certificate” button.
  8. On the resulting “Certificate” dialog, select the “Details” tab.
  9. Select the “Thumbprint” item from the list, and compare its value to the thumbprint listed above.
OCI Container Images
All of our distroless OCI container images are signed with cosign. Signatures can be validated against the Teleport OCI image signing key.
$ cosign verify --key teleport-oci-key-2023-05.pub public.ecr.aws/gravitational/teleport-distroless-debug:12.3.3 Verification for public.ecr.aws/gravitational/teleport-distroless-debug:12.3.3 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"public.ecr.aws/gravitational/teleport-distroless-debug"},"image":{"docker-manifest-digest":"sha256:450fa0f11bbd692ce8236adbc73ed4d32c464cab799bfb32de75e0769f51181a"},"type":"cosign container image signature"},"optional":null}]
Note that for cosign versions >= 2.0 you may need to use the new --insecure-ignore-tlog option for some images. These images were signed with an older version of cosign.
Background image

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs