Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical-feat-gateway-connector.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Gateway Security Architecture

The Infisical Gateway enables secure access to private resources using SSH reverse tunnels, certificate-based authentication, and a comprehensive PKI (Public Key Infrastructure) system. The architecture provides end-to-end encryption and complete tenant isolation through multiple certificate authorities. This document explains the internal security architecture and how tenant isolation is maintained.

Security Model Overview

Certificate Architecture

The gateway system uses multiple certificate authorities depending on deployment configuration: For Organizations Using Infisical-Managed Proxies:
  • Instance proxy SSH Client CA & Server CA - Gateway ↔ Infisical Proxy Server authentication
  • Instance proxy PKI Client CA & Server CA - Platform ↔ Infisical Proxy Server authentication
  • Organization Gateway Client CA & Server CA - Platform ↔ Gateway authentication
For Organizations Using Customer-Deployed Proxies:
  • Organization proxy SSH Client CA & Server CA - Gateway ↔ Customer Proxy Server authentication
  • Organization proxy PKI Client CA & Server CA - Platform ↔ Customer Proxy Server authentication
  • Organization Gateway Client CA & Server CA - Platform ↔ Gateway authentication

Certificate Hierarchy

Instance Level (Shared Proxies):
├── Instance Proxy SSH CA (Gateway ↔ Proxy)
├── Instance Proxy PKI CA (Platform ↔ Proxy)

Organization Level:
├── Organization Proxy SSH CA (Gateway ↔ Org Proxy)
├── Organization Proxy PKI CA (Platform ↔ Org Proxy)
└── Organization Gateway CA (Platform ↔ Gateway)

Communication Security

1. Gateway Registration

When a gateway is first deployed:
  1. Authenticates with Infisical using machine identity token
  2. Receives SSH certificates for proxy server authentication
  3. Establishes SSH reverse tunnel to assigned proxy server
  4. Certificate issuance varies by proxy configuration:
    • Infisical-managed proxy: Receives Instance proxy SSH client certificate + Instance proxy SSH Server CA
    • Customer-deployed proxy: Receives Organization proxy SSH client certificate + Organization proxy SSH Server CA

2. SSH Tunnel Authentication

Gateway ↔ Proxy Server communication uses SSH certificate authentication:
  • Gateway Authentication:
    • Presents SSH client certificate (Instance or Organization proxy SSH Client CA)
    • Certificate contains gateway identification and permissions
    • Proxy server validates certificate against appropriate SSH Client CA
  • Proxy Server Authentication:
    • Presents SSH server certificate (Instance or Organization proxy SSH Server CA)
    • Gateway validates certificate against appropriate SSH Server CA
    • Ensures gateway connects to legitimate proxy infrastructure

3. Application Traffic Security

End-to-end encryption for application data:
  1. mTLS Layer:
    • Infisical platform establishes mTLS connections directly with gateways
    • Uses Organization Gateway certificates for authentication
    • Application traffic is encrypted end-to-end between platform and gateway
  2. SSH Tunnel Layer:
    • mTLS-encrypted application traffic travels through SSH reverse tunnels
    • Creates double encryption: mTLS payload within SSH tunnel
    • Proxy servers cannot decrypt either encryption layer
  3. Traffic Isolation:
    • Each gateway maintains separate SSH tunnels
    • Organization’s private keys never leave their environment
    • Complete cryptographic isolation between organizations

Tenant Isolation

Multi-Layer Certificate Isolation

The architecture provides tenant isolation through multiple certificate authority layers:
  • Instance-level CAs: Shared proxy infrastructure uses instance-level certificates
  • Organization-level CAs: Each organization has unique certificate authorities
  • Proxy deployment flexibility: Organizations can choose shared or dedicated proxy infrastructure
  • Cryptographic separation: Cross-tenant communication is cryptographically impossible

Authentication Flows by Deployment Type

Infisical-Managed Proxy Deployments:
  • Gateway authenticates with proxy using Instance proxy SSH certificates
  • Platform authenticates with proxy using Instance proxy PKI certificates
  • Platform authenticates with gateway using Organization Gateway certificates
Customer-Deployed Proxy Deployments:
  • Gateway authenticates with proxy using Organization proxy SSH certificates
  • Platform authenticates with proxy using Organization proxy PKI certificates
  • Platform authenticates with gateway using Organization Gateway certificates

Resource Access Control

  1. Certificate Validation:
    • All connections require valid certificates from appropriate CAs
    • Embedded certificate details control access permissions
    • Ephemeral certificate validation ensures time-bound access
  2. Network Isolation:
    • Each organization’s traffic flows through isolated certificate-authenticated channels
    • Proxy servers route traffic based on certificate validation without content access
    • Gateway validates all incoming connections against Organization Gateway Client CA