How 1bash Works
1bash is an early-stage proof of concept. Core functionality is still being built and significant changes are expected.
Overview
1bash is a security scanning platform designed with privacy at its core. We use end-to-end encryption to ensure that your server configuration data remains private until you explicitly choose to share it with our analysis backend.
The key principle: we can't see your data until you approve it.
The Workflow
Generate Scan Token
When you visit the dashboard, your browser generates a unique RSA-2048 keypair. The private key stays in your browser's session storage and never leaves your device. The public key is sent to our backend to create a scan token.
curl -sL https://1bash.dev/scan | bash -s -- --key YOUR_TOKENRun Collection Script
Copy the command and run it on your server. The open-source bash script collects configuration data like SSH settings, open ports, and system information. All collection happens locally on your server.
What we collect: hostname, OS version, kernel version, SSH configuration (PermitRootLogin, PasswordAuthentication), open ports, and system uptime.
Client-Side Encryption
Before sending any data, the script encrypts it using your browser's public key. The encryption uses AES-256-CBC for the payload and RSA-OAEP to wrap the encryption keys. An HMAC ensures data integrity.
The encrypted payload is sent to our servers. At this point, we store the ciphertext but cannot decrypt it.
Review & Redact
Your browser automatically fetches the encrypted payload and decrypts it locally using your private key. You see exactly what was collected in an organized, readable format.
You can uncheck any sections you don't want to submit. For example, if you want to exclude SSH configuration or port data, simply uncheck those sections before approval.
Approve & Analyze
When you click "Approve & Submit", your browser sends the decrypted (and optionally redacted) data to our backend. Only at this point can we analyze your server's security posture.
If you choose "Decrypt & Analyze", all collected data is submitted without redaction.
Security Model
End-to-End Encryption
Data is encrypted on your server before transmission. We cannot decrypt it without your explicit approval.
Browser-Only Keys
Your private key exists only in your browser's session storage. It's never transmitted to our servers until you approve the scan.
Full Transparency
You see exactly what data was collected before we do. The collection script and encryption logic are open source for audit.
Redaction Control
You control what gets submitted. Uncheck any data sections you want to exclude from analysis.
Token Expiration
Scan tokens expire after 15 minutes for security. If your token expires, simply generate a new one from the dashboard. Each token is single-use and tied to a specific scan session.
Security Analysis
Once you approve the data, our backend analyzes your server's security posture. We check for common misconfigurations and vulnerabilities that could expose your system to attacks.
The security analysis engine is currently under development. Check back for updates on available security checks.
Open Source
The collection script and client-side encryption logic will be open source. You'll be able to review the code before running anything on your servers.
Questions?
If you have questions about how 1bash works or need clarification on the security model, reach out to us.