Teleport Access Plane

Security at Teleport

Teleport is dedicated to trusted, contemporary security. We’re thankful our customers place the highest level of trust in Teleport when they choose to secure their critical infrastructure using our products.
teleport security shield

Security Team

Teleport maintains a cross functional security team dedicated to:

  • Teleport code, dependency, and supply chain vulnerability detection and response
  • Teleport Cloud Security
  • Corporate IT Security
You can reach this team by email: [email protected]
Security Team

Reporting a Vulnerability

To make a security vulnerability report, email [email protected] with the full details, including steps to reproduce the issue. We are deeply grateful to researchers and our community who report issues so that we can coordinate a fix and responsible disclosure. You may use our PGP public key below to encrypt sensitive information.

Security Commitments

We make the following security commitments:
  • Proactive Detection

    Proactive Detection

    We contract and publish third party security audits of our products and platform annually. Our previous reports are available in our Audits page. Furthermore, Teleport conducts regular security vulnerability scanning of our code and infrastructure using tools like Dependabot and Clair container scanning.

  • Disclosure

    Disclosure

    We notify customers of critical vulnerabilities that effect the security of their systems. Prior vulnerability disclosures are found in our Security Disclosures Zendesk topic.

  • Response

    Response

    All security issues are rapidly triaged by our security team. High severity security findings trigger a formal incident response.

  • Privacy

    Privacy

    As part of our security stance, we protect our customers’ and partners’ privacy. Find our privacy policy at https://goteleport.com/privacy.

  • Certifications

    Certifications

    We maintain a SOC2 type II certification for our cloud and on prem products.

Public Certificates & Encryption Keys

We use the following certificates and public keys to sign our software. Many of these keys and certificates use our legal business name “Gravitational Inc.” and our former domain “gravitational.com”. Don’t worry – Gravitational is Teleport.
Encrypting Email
Please use the following public PGP key to encrypt sensitive information to [email protected].
  • ID BEEDA496
  • Fingerprint 24F1 C4E9 A718 FF7C FB0B 2F13 FF2E 90C4 BEED A496
RPM & Debian Signing Keys
We sign our RPM and Debian repositories with the following PGP key:
  • ID 6282C411
  • Fingerprint 0C5E 8BA5 658E 320D 1B03 1179 C87E D53A 6282 C411
See the following pages for information on using this key to verify downloaded packages:
Apple Signing Certificates
Our Apple packages and binaries are code signed by "Developer ID QH8AA5B8UP Gravitational Inc." with the following certificate:
  • SHA256 Fingerprint 78 2F E1 18 5F A1 AD 68 AD 25 0B A9 4D 21 DC BB 0D 8E 47 C6 E4 1D FE FB AB 05 41 33 4C 33 1D 43
  • SHA1 Fingerprint 82 B6 25 AD 32 7C 24 1B 37 8A 54 B4 B2 54 BB 08 CE 71 B5 DF
Packages published prior to September 14, 2021 are signed with an older certificate for the same Developer ID (QH8AA5B8UP):
  • SHA256 Fingerprint 78 05 14 69 20 59 21 D1 EE 96 42 01 5A 28 35 FB E1 D4 38 5E 2A 23 5D 62 73 A4 D1 27 8A 33 BA 34
  • SHA1 Fingerprint D2 70 EA 0C F2 0E CB 17 28 B2 21 E1 D5 B6 7C FE 50 FF AB 62
Verify the Developer ID and fingerprint match on package downloads with the pkgutil tool:
$ pkgutil --check-signature teleport-7.1.2.pkg Package "teleport-7.1.2.pkg": Status: signed by a developer certificate issued by Apple for distribution Signed with a trusted timestamp on: 2021-09-15 00:49:03 +0000 Certificate Chain: 1. Developer ID Installer: Gravitational Inc. (QH8AA5B8UP) Expires: 2026-07-27 18:27:29 +0000 SHA256 Fingerprint: 78 2F E1 18 5F A1 AD 68 AD 25 0B A9 4D 21 DC BB 0D 8E 47 C6 E4 1D FE FB AB 05 41 33 4C 33 1D 43 ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24
The codesign tool can be used to perform the verification on individual binaries:
$ codesign --verify -d --verbose=2 /usr/local/bin/tsh ... Authority=Developer ID Application: Gravitational Inc. (QH8AA5B8UP) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Jul 30, 2021 at 1:44:06 PM Info.plist=not bound TeamIdentifier=QH8AA5B8UP ...
The Teleport package in Homebrew is not maintained or signed by Teleport. We recommend the use of our Teleport packages.
Windows Signing Certificates
Our Windows binaries are signed with the following certificate:
  • Issued to Gravitational Inc.
  • Thumbprint F2FBE7B8228122EB74DE2DC093DB81F8E6896253
Verify the binary using the following PowerShell command:
Get-AuthenticodeSignature -FilePath .\tsh.exe Directory: C:\Users\ExampleUser SignerCertificate Status Path ----------------- ------ ---- F2FBE7B8228122EB74DE2DC093DB81F8E6896253 Valid tsh.exe
Ensure that the SignerCertificate matches the thumbprint shown above, and that the Status field is Valid.
To further inspect the certificate, run the following PowerShell command:
(Get-AuthenticodeSignature -FilePath.\tsh.exe).SignerCertificate | Format-List Subject : CN=Gravitational Inc., O=Gravitational Inc., L=Oakland, S=California, C=US Issuer : CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Thumbprint : F2FBE7B8228122EB74DE2DC093DB81F8E6896253 FriendlyName : NotBefore : 11/8/2020 5:00:00 PM NotAfter : 11/14/2023 4:59:59 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
Alternatively, Windows binaries may be inspected graphically via the Windows Explorer with the following steps:
  1. Right click on the binary in question, for example tsh.exe.
  2. Select “Properties”.
  3. On the resulting “tsh.exe Properties” dialog, select the “Digital Signatures” tab.
  4. Select the “Gravitational Inc.” signer from the list.
  5. Select the “Details” button.
  6. On the resulting “Digital Signature Details” dialog, ensure that the header states “This digital signature is OK.”
  7. Select the “View Certificate” button.
  8. On the resulting “Certificate” dialog, select the “Details” tab.
  9. Select the “Thumbprint” item from the list, and compare its value to the thumbprint listed above.

Try Teleport today

In the cloud, self-hosted, or open source
Get startedView developer docs