Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Deployment Overview

This section covers deploying the Vouch server for your organization. The server is the central authentication backend that handles FIDO2 verification, session management, SSH certificate signing, and OIDC token issuance.

Deployment Checklist

Before deploying, ensure you have:

  • Domain name — A domain for your Vouch server (e.g., auth.example.com)
  • TLS certificate — Valid certificate for your domain (or use Let’s Encrypt)
  • Database — SQLite (single node) or PostgreSQL (multi-node)
  • Identity provider — Google Workspace
  • JWT secret — Cryptographically random string, minimum 32 characters (or use AWS KMS HMAC)
  • SSH CA key (optional) — Ed25519 key pair for signing SSH certificates (or use AWS KMS)
  • OIDC signing key (optional) — P-256 EC key for signing ID tokens (or use AWS KMS)

Architecture

                    Internet
                       │
                       ▼
              ┌─────────────────┐
              │  Load Balancer  │
              │  (TLS termination │
              │   or passthrough) │
              └────────┬────────┘
                       │
                       ▼
              ┌─────────────────┐
              │  Vouch Server   │
              │                 │
              │  • Auth Portal  │
              │  • OIDC Provider│
              │  • SSH CA       │
              │  • REST API     │
              └────────┬────────┘
                       │
                       ▼
              ┌─────────────────┐
              │    Database     │
              │                 │
              │  SQLite or      │
              │  PostgreSQL     │
              └─────────────────┘

Deployment Methods

MethodBest ForGuide
SystemdBare metal, VMs, single-nodeProduction
DockerContainer-based deploymentsProduction
KubernetesMulti-node, high availabilityProduction

Configuration

All configuration is via environment variables. See the Configuration Reference for the full list.

The minimum configuration requires:

VOUCH_RP_ID=auth.example.com        # Your domain
VOUCH_JWT_SECRET=<64-char-secret>    # Session signing secret
VOUCH_DATABASE_URL=sqlite:vouch.db?mode=rwc  # Database

For production, you’ll also want:

VOUCH_TLS_CERT=<base64-encoded-pem>  # TLS certificate
VOUCH_TLS_KEY=<base64-encoded-pem>   # TLS private key
VOUCH_SSH_CA_KEY=<base64-encoded-pem> # SSH CA key (or VOUCH_SSH_CA_KMS_KEY_ID)
VOUCH_OIDC_ISSUER=https://accounts.google.com  # External IdP
VOUCH_OIDC_CLIENT_ID=...
VOUCH_OIDC_CLIENT_SECRET=...

For AWS deployments, you can use KMS for all signing operations instead of managing local keys. See the Configuration Reference for KMS options.

Sizing

ComponentMinimumRecommended
CPU1 vCPU2 vCPU
Memory256 MB512 MB
Disk1 GB (SQLite)10 GB (PostgreSQL)

The server is single-process, async (tokio). Per-session memory overhead is minimal (~2 KB for token metadata). The primary bottleneck is database I/O during token issuance and session validation.

Database guidance:

  • SQLite — suitable for single-node deployments under ~500 users
  • PostgreSQL — recommended for multi-node or >500 users
  • Aurora DSQL — for AWS deployments requiring managed infrastructure

Next Steps

  1. Database Setup — Choose and configure your database
  2. TLS Configuration — Set up HTTPS
  3. Configuration Reference — Full environment variable reference
  4. Identity Provider Setup — Connect your corporate IdP