Security model

Tarsail is a deployment transport tool, not a security platform.

Its security model is intentionally explicit: use SSH for transport, copy only configured files, avoid printing secret contents, and leave secret lifecycle management to the operator.

SSH authentication

Tarsail supports three practical SSH paths.

Default SSH behavior

Without --identity-file or --ask-password, Tarsail calls system ssh and scp with the configured target:

tarsail deploy

This uses your normal SSH configuration, including default identities and host aliases where supported by ssh.

Specific private key

tarsail --identity-file ~/.ssh/my-app-deploy-key deploy

or:

tarsail --ssh-key ~/.ssh/my-app-deploy-key deploy

Tarsail passes the key path to ssh and scp. It does not read or upload the private key.

Password authentication

tarsail --ask-password deploy

Tarsail prompts once for the remote user’s SSH password and uses it for remote SSH commands and file uploads during that command.

Password mode:

• does not store the password on disk;
• does not print the password;
• keeps the password only in process memory;
• uses the local ~/.ssh/known_hosts file for host-key verification;
• cannot be combined with --identity-file.

Host-key verification

Password mode uses known_hosts.

If the host is not trusted yet, Tarsail fails and asks you to connect with the system SSH client first:

ssh [email protected]

Verify the host key through a trusted channel before accepting it.

Do not disable host-key checking to make a deployment pass.

Remote command execution

Tarsail runs remote commands with SSH and sh -c.

To reduce shell-injection risk, config validation restricts project names, target names, users, hosts, paths, service names, and managed target paths.

This is why Tarsail rejects many characters that ordinary YAML or shell commands might accept.

Secret transfer

Tarsail transfers secrets only when explicitly configured:

compose:
  env_file:
    source: .deploy/prod.env
    target: shared/.env

secrets:
  - source: .deploy/app.key
    target: shared/secrets/app.key

Configured env and secret files are uploaded to shared/.

They are not included in release bundles.

Redaction

Tarsail redacts common sensitive patterns from command output and errors before printing them.

Redaction is a safety net, not a security guarantee. Avoid commands and Compose configuration that print secrets.

Bundle safety

The release bundle contains:

• manifest metadata;
• the Compose file;
• saved Docker image tar files;
• configured non-secret managed files.

The release bundle does not contain configured compose.env_file or secrets.

On the server, Tarsail checks tar entries before extraction and rejects unsafe archive paths such as absolute paths or parent-directory traversal.

What Tarsail does not secure

Tarsail does not:

• harden the server;
• create users;
• configure sudo;
• install Docker;
• manage firewalls;
• provision TLS certificates;
• rotate secrets;
• encrypt the remote shared/ directory;
• scan images;
• scan source code for secrets;
• manage database credentials;
• back up data;
• guarantee zero downtime;
• enforce application authorization.

Those remain application and infrastructure responsibilities.

Public documentation hygiene

Public examples should use placeholders:

example.com
[email protected]
/opt/my-app
192.0.2.10

Do not publish:

• real production IP addresses;
• private domains;
• real usernames tied to private infrastructure;
• credentials;
• tokens;
• private key paths;
• database URLs with passwords;
• full .env files.

If a secret is committed or pasted into a public issue, rotate it. Deleting the text is not enough.

Recommended deployment posture

For routine deployments:

• prefer SSH key authentication;
• use a dedicated deploy user when possible;
• keep target.path project-specific;
• keep env and secret files outside git;
• use mode: 600 for private files;
• run doctor after server access changes;
• keep application logs from printing env values;
• document database backup and rollback behavior separately.