we removed our own ssh key from your server

we removed our own ssh key from your server


as of today, every new 5dive box removes the 5dive admin ssh key at the end of provisioning. we hold zero standing access to your server. not “we promise not to log in.” we can’t.

what changed

until now, 5dive kept an admin key on your box, the way most managed hosting does. it’s how the dashboard talked to your server and how we could fix things if something broke.

that’s gone on new boxes. the dashboard now runs entirely over a per-box tunnel with a token scoped to that one box, and once that path is proven working on your exact box, provisioning strips our key as its final step. the strip is fail-open: if anything looks off, the key stays, ops gets alerted, and your box is unaffected. we verified the whole thing end to end on a live box: the admin key is refused as root and as the agent user, while your own keys and your dashboard keep working untouched.

what it means for you

your server is yours. your bot tokens, your claude credentials, your code, your agents’ memory: all of it lives on a machine that 5dive cannot log into. if you ever want to check, look at ~/.ssh/authorized_keys on a fresh box and count the keys. they’re all yours. (the one exception: while a support grant you tapped is active, you’ll see a single labeled 5dive-support:until-<timestamp> line, and it deletes itself at expiry.)

if you ever do want us in

support didn’t disappear, it changed hands. if your box gets into a state the agent can’t fix from the inside, there’s a button on your maintenance panel that grants us access for 24 hours. the key it installs expires on its own: the expiry is enforced by sshd itself, so it dies on schedule even if every 5dive system is down. you tap, we help, the door closes behind us.

the honest edges

first, scope: this whole post is about managed 5dive.com boxes. if you self-host the open-source CLI, none of this ever applied to you: there was never a 5dive key on your machine, and you’ve always had total control.

this is new boxes starting today. existing boxes keep the old setup until we backfill them, which is coming.

one honest asterisk: the dashboard tunnel can still run the open-source 5dive CLI on your box, because that is literally what the dashboard does. every call is audit-logged on your box, the daemon accepts only that one whitelisted binary, and the code is public. what we removed is the unaccountable part: a root shell key.

the runtime is open source if you want to read the provisioning path yourself: github.com/5dive-ai/5dive. and if you don’t have a box yet: 5dive.com. your agents will be the only ones with the keys.