Security architecture
Built for infrastructure you cannot afford to lose.
ServerDesk connects to real production servers. Every architectural decision — from how credentials are stored to how Robbie's remediation plans are executed — reflects that responsibility. This page explains exactly how the system works.
SSH connection model
How connections work
ServerDesk acts as a secure relay between your browser and your server. Your browser does not make a direct SSH connection to your infrastructure. Instead, the ServerDesk backend establishes and manages the SSH session on your behalf.
No direct browser-to-server connection
Your browser communicates with ServerDesk over HTTPS. ServerDesk manages the SSH session to your server. This means your server does not need to accept inbound WebSocket connections from browsers.
SSH encryption in transit
Traffic between ServerDesk and your server uses the SSH protocol — the same encryption you would use from a local terminal. Data in transit between your browser and ServerDesk uses HTTPS (TLS 1.2+).
Session isolation
Each workspace session uses its own isolated SSH connection. Credentials and session data from one account are never accessible to another. Sessions are torn down when you close the workspace.
Credential storage
Your credentials, encrypted at rest
SSH credentials — passwords and private keys — are encrypted before being written to the database. Encryption keys are not co-located with credential data.
- Passwords and SSH private keys encrypted before storage
- SSH private keys accepted in PEM format
- Credentials never appear in logs or error messages
- Delete any server from the dashboard — deletion is immediate and permanent
- Credentials from different accounts are strictly isolated from one another
SSH key authentication
Password or SSH key — your choice
ServerDesk supports both password and SSH private key authentication. Using an SSH key rather than a password is the recommended approach for production servers.
- PEM-format private keys accepted
- Passphrase-protected keys supported
- Keys stored using the same encrypted storage as passwords
- No plaintext key material is ever logged
What Robbie reads during a health check
Read-only diagnostics. No silent writes.
During a health check, Robbie connects to your server and runs a set of read-only diagnostic commands. It collects the text output and sends it to the AI model for analysis. Robbie does not modify files, install packages, change configuration, or execute any write operation during this phase.
| Command | What it reads |
|---|---|
| df -h | Disk usage by mount point |
| free -m | Memory usage and available RAM |
| uptime | System load and uptime |
| ps aux --sort=-%cpu | Process list sorted by CPU usage |
| docker ps --format ... | Running container status and restart counts |
| docker stats --no-stream | Container resource usage snapshot |
| systemctl list-units | Service status overview |
| tail -n 500 [log file] | Recent log entries for analysis |
| netstat -tlnp | Open ports and listening services |
| who / last | Recent login activity |
Source code not included automatically
Robbie does not read file contents during a health check. Source code is only sent to the AI model when you explicitly ask Robbie to review a specific file or selection.
.env files never included
Files commonly containing secrets — .env, .env.production, credentials.json — are never automatically included in AI analysis. You control what Robbie reads.
Text output only
Diagnostic command output is text. Robbie does not capture binary data, screenshots, or network traffic from your server.
The approval workflow
Seven stages. Nothing executes at stage four.
The remediation workflow has a hard stop built into it. Robbie cannot proceed past the “Wait” stage without explicit human action. This is not a configurable option — it is how the system is built.
Stage 1–4
Robbie's work
- Observe: reads diagnostic output
- Analyse: identifies root cause
- Prepare: builds remediation plan
- Wait: stops, shows you the plan
Stage 5
You review
- Read every proposed step
- Expand dry-run output per step
- Check the rollback procedure
- Verify the risk rating
Stage 6
You approve
- Approve each step individually
- No single 'approve all' button
- Stop at any step without penalty
- Abort at any point
Stage 7
Execution
- Only approved steps run
- Output shown in real time
- Rollback available immediately
- Full audit in session history
Robbie never executes changes on your server without a step-by-step approval from you. There is no auto-approve mode. There is no way to enable one.
AI safety
What the AI model sees
The AI model that powers Robbie receives text — specifically, the output of diagnostic commands run on your server. It does not have direct access to your server, your file system, or your credentials.
- Diagnostic text output sent to AI model for health check analysis
- AI model has no direct SSH access to your server
- Source code sent only when you explicitly ask Robbie to review a file
- .env files and secret-containing files never automatically included
- AI analysis is used to prepare recommendations — not to execute them
Privacy and data retention
What we keep and why
ServerDesk stores the minimum data needed to deliver the service.
- Server credentials: retained until you delete the connection
- Health check results: retained for trend analysis (visible to you in the dashboard)
- Terminal session content: not stored after the session ends
- Account data: retained until account deletion, then removed within 30 days
- GDPR: you can request full data export or immediate deletion at any time
Security FAQ
Direct answers to the questions that matter most
Does ServerDesk install anything on my server?
No. ServerDesk connects over SSH using your existing credentials. Nothing is installed, no agent runs on your server, and no persistent background process is left behind. The connection is established on demand when you open your workspace.
How are SSH credentials stored?
SSH passwords and private keys are encrypted before being written to the database. Encryption keys are not stored alongside credential data. You can view, update, or delete any server connection at any time from your dashboard. Deletion is permanent.
Does Robbie execute commands automatically?
No. Robbie runs read-only diagnostic commands during a health check — these read system metrics, process lists, and log output. For remediation, Robbie prepares a plan and stops. Nothing in that plan executes until you approve each step individually. There is no auto-approve mode and no way to enable one.
Can I use SSH keys instead of a password?
Yes. ServerDesk supports SSH private key authentication. Keys are accepted in PEM format and stored encrypted using the same mechanism as password credentials. If you use a passphrase-protected key, you can enter the passphrase during connection setup.
Can I remove my server at any time?
Yes. You can disconnect and delete any server connection from the dashboard at any time. Deletion removes the credentials immediately and permanently. ServerDesk does not retain copies.
What information leaves my server during a health check?
Robbie runs read-only diagnostic commands and collects the text output — system metrics, process lists, log excerpts. This text is sent to the AI model for analysis. Your source code is not included unless you explicitly ask Robbie to review a specific file or selection. Environment variables and .env files are never automatically included.
Can I use ServerDesk without using the AI features?
Yes. The file editor, terminal, Docker management, database explorer, and Git tools all work independently of Robbie. AI features are optional. You are never required to use them.
What happens to my data if I cancel?
When you cancel, your servers are disconnected and your subscription ends at the current billing period. Your account data is retained for 30 days after cancellation to allow for reactivation, then deleted. You can request immediate deletion at any time by contacting support.
Responsible disclosure
Found a vulnerability?
If you discover a security vulnerability in ServerDesk, please report it to us directly. We take every report seriously and commit to a prompt, transparent response.
- Email: security@serverdesk.dev
- Include a clear description of the issue and steps to reproduce
- We aim to acknowledge reports within 24 hours
- We will not take legal action against researchers acting in good faith
- Responsible disclosure is recognised in our security changelog
Other security contacts
Questions about security architecture?
If you have questions about ServerDesk's security architecture that this page does not answer — particularly if you are evaluating the product for an organisation with specific compliance requirements — reach out directly.
- Security questionssecurity@serverdesk.dev
- General supportsupport@serverdesk.dev
- Privacy / GDPRprivacy@serverdesk.dev