Skip to content
QCecuring Documentation

Data Flow

Data Flow

Section titled “Data Flow”

Understand how data flows through SSH-KLM during various operations.

Discovery Flow

Section titled “Discovery Flow”
sequenceDiagram
    participant User
    participant API
    participant Queue
    participant Worker
    participant Agent
    participant DB


    User->>API: POST /discovery/start
    API->>Queue: Enqueue discovery job
    API-->>User: { jobId: "JOB-123" }
    Queue->>Worker: Dequeue job
    Worker->>Agent: Request key inventory
    Agent->>Agent: Scan SSH directories
    Agent-->>Worker: Key list + metadata
    Worker->>DB: Store discovered keys
    Worker->>Queue: Mark job complete
    User->>API: GET /discovery/JOB-123
    API->>DB: Get results
    API-->>User: Discovery results

Rotation Flow

Section titled “Rotation Flow”
sequenceDiagram
    participant Policy
    participant API
    participant Worker
    participant Agent
    participant Host


    Policy->>API: Trigger scheduled rotation
    API->>Worker: Create rotation job
    Worker->>Worker: Generate new key pair
    Worker->>Agent: Deploy public key
    Agent->>Host: Add to authorized_keys
    Agent-->>Worker: Key deployed
    Worker->>Worker: Verify SSH access
    Worker->>Agent: Remove old key
    Agent->>Host: Update authorized_keys
    Worker->>API: Rotation complete
    API->>API: Send notifications

Ephemeral Key Flow

Section titled “Ephemeral Key Flow”
sequenceDiagram
    participant User
    participant API
    participant Agent
    participant Host


    User->>API: Request ephemeral key
    API->>API: Validate permissions
    API->>API: Generate key pair (TTL: 5m)
    API->>Agent: Deploy public key
    Agent->>Host: Add to authorized_keys
    API-->>User: Return private key
    User->>Host: SSH connect
    Note over Agent,Host: TTL expires
    Agent->>Host: Remove public key

Audit Log Flow

Section titled “Audit Log Flow”

All operations are logged:

User Request → API Server → Audit Logger → PostgreSQL → SIEM (optional)

Log Entry Structure

Section titled “Log Entry Structure”
{
  "timestamp": "2026-01-06T10:30:00Z",
  "actor": "user@example.com",
  "action": "key.rotate",
  "resource": "KEY-12345",
  "host": "server01.example.com",
  "result": "success",
  "metadata": {
    "oldAlgorithm": "rsa-2048",
    "newAlgorithm": "ed25519"
  }
}
Section titled “Related Pages”