Secure Remote Access.
No VPN. No Exposure.
Cryptographically secured connections between operators and agents. ED25519 identity. AES-256-GCM sessions. Tamper-evident audit.
$ curl -fsSL https://get.tucdesk.app/install.sh | bash
β Installing system service + identity...
β Registering with rendezvous...
β Agent started. systemd online. Linux ready.
$ tucdesk status
β Online Β· 2 agents Β· 0 sessions Β· Score: 94/100βVPN Single Point of Failure
A single compromised VPN gateway exposes your entire internal network. One breach = total lateral movement.
LATERAL MOVEMENTSSH Key Sprawl
Shared credentials, rotated inconsistently across 50+ servers. One leaked key and your attack surface is unlimited.
CREDENTIAL LEAKZero Auditability
Legacy tools have no cryptographic audit trail. You can't prove who did what, when, or whether sessions were tampered.
NO AUDIT TRAILOne command installs the agent, generates your ED25519 identity, and establishes an encrypted tunnel. No VPN config, no firewall rules, no SSH key distribution.
Session keys negotiated via X25519 Diffie-Hellman. Renewed on every connection.
Cryptographic keypair generated on first install. No passwords. No IP allowlists.
The relay forwards encrypted blobs only. Even if compromised, sessions stay private.
Every session frame is signed. Replay a session byte-for-byte months later.
Every agent has a cryptographic identity β no passwords, no IP allowlists.
TucDesk generates an ED25519 keypair on first install. The public key becomes the agent's permanent address. X25519 Diffie-Hellman negotiates a fresh AES-256-GCM session key for each connection β your relay never sees plaintext.
$ tucdesk agent id td_peer_7f3a9c2e1b4d8a06 β³ ed25519 pub: 4a7f...b3c9 β³ registered: 2024-01-15 09:42 UTC β³ relay sees: encrypted blobs only
$ tucdesk fleet run \
--tag prod-db \
--command "systemctl status postgres"
β db-01.eu-west β active (running) 38ms
β db-02.eu-west β active (running) 41ms
β db-03.us-east β active (running) 67ms
β 3/3 agents responded in 71ms$ tucdesk recordings list --session sess_4f2a sess_4f2a Β· 2024-01-15 Β· 14m 32s β³ operator: alice@example.com β³ agent: td_peer_7f3a9c2e β³ sig: β chain verified (872 frames) β³ replay: tucdesk replay sess_4f2a
[iOS Push Notification] βββββββββββββββββββββββββββββ TucDesk β Approval Required alice wants shell access to db-prod-03 Β· 14:32 UTC βΆ APPROVE β DENY βββββββββββββββββββββββββββββ Approval signed Β· token: a7f3...
$ tucdesk ask "which prod servers have
postgres not running?"
Querying 47 agents tagged prod...
β db-backup-02 β postgres: inactive
β db-standby-07 β postgres: failed
Run "tucdesk fleet run --tag prod-db
--command 'systemctl start postgres'"
to restart? [y/N]No IP addresses. No firewall rules. No VPN gateway. Just a cryptographic identity and a P2P tunnel that punches through NAT automatically.
Install Agent
one command, persistent ED25519 identityRun the installer. The agent generates a unique ED25519 key pair, registers with the rendezvous server, and stays alive as a system service.
curl -fsSL https://get.tucdesk.app/install.sh | bashβGet Peer ID
cryptographic address, no IP neededYour agent receives a stable Peer ID β a cryptographic address derived from its public key. Share it like a hostname. It never changes.
$ tucdesk agent id
td_peer_7f3a9c2e1b...βConnect
P2P tunnel, E2E encrypted, auto-relay if NAT blocksTucDesk attempts a direct hole-punch first. If NAT blocks it, an encrypted relay carries the traffic β the relay sees only ciphertext.
$ tucdesk connect td_peer_7f3a9c2e1b
β tunnel established (P2P)βSee how TucDesk stacks up against VPN, SSH jump hosts, Tailscale, and Teleport across the features that matter for secure remote infrastructure.
| Feature | TucDesk | VPN | SSH Jump | Tailscale | Teleport |
|---|---|---|---|---|---|
| Zero-config P2P | β | β | β | β | β |
| E2E Encrypted | β | β | β | β | β |
| NLC (natural language) | β | β | β | β | β |
| AI Agent MCP | β | β | β | β | β |
| Signed audit recordings | β | β | β | β | β |
| Mobile apps | β | β | β | β | β |
| Self-hostable | β | β | β | β | β |
- β’Connect agents via SSH-style pairing key
- β’Tag and group machines for policy and batch operations
- β’Run commands across tagged fleets in parallel
- β’Session recording with cryptographically signed playback
- β’ACL policy: allow/deny by agent, team, tag, time window
$ tucdesk fleet run \
--tag production-db \
--command "systemctl status postgres"
running db-01.prod βββββββββ ok (42ms)
running db-02.prod βββββββββ ok (38ms)
running db-03.prod βββββββββ ok (51ms)
β 3/3 agents respondedβWindows
PowerShell bootstrap, ZIP artifacts, setup installer, and service mode.
Linux
amd64, arm64, and armhf agents with shell, deb, rpm, and apk paths.
Android
Native Compose app with Play Store and self-hosted server profile support.
Zero to connected in 120 seconds.
One command. Detects your platform, installs the agent, generates an ED25519 identity, and puts your machine online β with no firewall configuration required.
1. Install on Desktop
The Linux path is tuned for bare metal, VMs, containers, and cloud instances with service registration plus package artifacts for rollout systems.
- β’Download Linux packages
- β’deb / rpm / apk / Snap / AUR
2. Register identity
The agent generates an ED25519 identity, registers with rendezvous, and writes the service profile locally.
curl -fsSL https://get.tucdesk.app/install.sh | bashβ3. Connect from anywhere
Use the dashboard, mobile apps, TUI, or MCP tools against the same encrypted agent identity and audit model.
tucdesk status
online Β· paired Β· auditedβIdentity
ED25519 keypair per agent
E2E Encryption
AES-256-GCM on every frame
Signed Audit
Tamper-evident chain
Secure infrastructure access, starting today.
Free for up to 3 agents. No credit card required. Enterprise plans include SSO, compliance exports, and dedicated support.