Vouch is a hardware-backed authentication system designed to enhance security by issuing short-lived credentials only after a YubiKey touch and PIN entry. This approach ensures physical presence for each access request, replacing traditional methods like password plus push notifications.
Key Features:
Mandatory Hardware Presence: Vouch requires a YubiKey touch for credential issuance, ensuring human presence.
Short-Lived Credentials: Issues credentials valid for 8 hours, reducing the risk of misuse.
Multi-Platform Support: Works with SSH, AWS, Kubernetes, and more, integrating seamlessly into existing workflows.
Zero-Friction Integration: Configures standard tools without additional wrappers, maintaining user experience.
Audience & Benefit:
Ideal for organizations seeking robust security in DevOps and cloud environments. Vouch provides a secure authentication method that reduces credential sprawl and fatigue, enhancing overall system security with minimal disruption to daily operations.
Vouch can be installed via winget, offering a straightforward setup process to enhance your organization's security posture effectively.
README
Vouch
Prove you're here.
Hardware-backed authentication that issues short-lived credentials only after a human touches a YubiKey. One touch, one PIN, one 8-hour session — then SSH, AWS, Kubernetes, and more just work.
$ vouch login
🔑 Touch your YubiKey...
Enter PIN: ****
✓ Authenticated as you@company.com
✓ Session valid for 8 hours
$ ssh prod.example.com # Just works
$ aws s3 ls # Just works
$ kubectl get pods # Just works
$ git push origin main # Just works
The Problem
Modern authentication is broken in three ways:
Push notification fatigue — Duo pings you 47 times a day. Users approve reflexively. MFA fatigue attacks succeed because humans are tired.
Credential sprawl — Long-lived API keys in ~/.aws/credentials. GitHub PATs that never expire. SSH keys from 2019 still floating around.
No presence verification — Existing tools verify devices or sessions, but not that a human is actually there. A compromised laptop with cached credentials is indistinguishable from its owner.
The Solution
Vouch requires physical presence for every credential issuance:
vouch login — Touch YubiKey, enter PIN, get 8-hour session
Vouch issues credentials — SSH certificates, AWS STS tokens, Kubernetes tokens, and more
Tools just work — Standard credential helpers, no wrappers needed
Key Features
Mandatory Hardware Presence
Unlike optional MFA that can be bypassed, Vouch only issues credentials after FIDO2 verification. The credential itself carries proof of presence.
Short-Lived Everything
SSH certificates: 8 hours
AWS credentials: 1 hour (auto-refresh within session)
Kubernetes, Docker, RDS, Redshift, CodeArtifact, and more — see Integrations
No more rotating keys. No more revoking access. Credentials simply expire.
Zero-Friction Integration
Vouch configures standard credential providers:
SSH: IdentityAgent pointing to vouch's signing agent
AWS: credential_process in ~/.aws/config
Plus: Kubernetes, Docker, Git, Cargo, and more — see Integrations
After vouch login, existing workflows are unchanged.
Quick Start
Install
# macOS
brew install vouch-sh/tap/vouch
# Linux (Debian/Ubuntu)
# See https://packages.vouch.sh for repository setup
sudo apt install vouch
# Linux (RPM-based)
# See https://packages.vouch.sh for repository setup
sudo dnf install vouch
# From source (requires Rust 1.95+)
cargo install --git https://github.com/vouch-sh/vouch vouch-cli
> [!NOTE]
> Vouch is not published to crates.io. Install from the Git repository or use a package manager.
Setup
# Enroll with your YubiKey (one-time, opens browser)
vouch enroll
# Configure integrations
vouch setup ssh # SSH certificates
vouch setup aws --role arn:aws:iam::ID:role/name # AWS credential_process
vouch setup eks --cluster my-cluster # kubectl for EKS via IAM
vouch setup k8s --cluster my-cluster --server URL # kubectl via OIDC
vouch setup github --configure # Git credential helper for GitHub
vouch setup docker --configure ghcr.io # Docker registry auth
vouch setup cargo --configure # Cargo registry auth
vouch setup codecommit --configure # AWS CodeCommit Git credentials
vouch setup ssm # SSH via AWS Systems Manager
vouch setup codeartifact --tool pip --repository R # Private package registry
# See all integrations: https://vouch.sh/docs/
> [!TIP]
> Run vouch doctor at any time to check your YubiKey, agent, and configuration status.
> [!IMPORTANT]
> The vouch-agent daemon must be running for credential operations. It starts automatically on vouch login and manages your session.
Daily Use
# Start your day
vouch login
# Everything just works for 8 hours
ssh prod-server
aws s3 ls
kubectl get pods
docker pull ghcr.io/your-org/image
git clone https://github.com/your-org/private-repo.git
# Check session status
vouch status
Credential Injection
For scripts and CI/CD pipelines, inject credentials into subprocesses:
# Run a command with AWS credentials in the environment
vouch exec --type aws --role arn:aws:iam::ID:role/name -- terraform plan
# Export credentials for the current shell
eval "$(vouch env --type aws --role arn:aws:iam::ID:role/name)"
# Available types: aws, github, codeartifact, rds, redshift
Shell Completions
# Bash (requires the bash-completion package)
vouch completions bash > ~/.local/share/bash-completion/completions/vouch
# Zsh
vouch completions zsh > "${fpath[1]}/_vouch"
# Fish
vouch completions fish > ~/.config/fish/completions/vouch.fish
Shell Integration
Add session status to your shell prompt (sets VOUCH_AUTHENTICATED, VOUCH_EMAIL, and VOUCH_EXPIRES_IN):
# Bash (add to ~/.bashrc)
eval "$(vouch init bash)"
# Zsh (add to ~/.zshrc)
eval "$(vouch init zsh)"
# Fish (add to ~/.config/fish/config.fish)
vouch init fish | source
Exit Codes
Code
Meaning
0
Success
1
General error
2
Not authenticated (session expired or missing)
3
Hardware key not detected
4
Network or server unreachable
5
Permission denied
6
Configuration error
7
Step-up authentication required
8
Rate limited
Requirements
YubiKey 5 series (firmware 5.2+) with FIDO2/WebAuthn support
macOS 12+ or Linux (glibc 2.31+) — Windows support is planned
For SSH: CA public key distributed to target hosts
For AWS: IAM role with OIDC federation configured
For EKS: Cluster with Access Entries configured for IAM role
For Kubernetes: API server with OIDC configured — see Operator Guide
For GitHub: Organization admin connects the Vouch GitHub App
Server deployment: Docker (distroless), systemd, or Kubernetes (Helm). See Operator Guide.
