Agent Channel Security Model
Who this is for
Security-conscious operators who want to understand how the CloudAIPilot platform communicates with the agent installed on their servers.
What you will complete
Understand how the agent channel works, what data flows through it, and how it is secured against interception.
What is the agent channel?
The CloudAIPilot server agent is a lightweight service installed on your servers (automatically during provisioning, or manually on imported servers). It creates a secure, persistent communication channel between your server and the CloudAIPilot platform.
The agent channel is responsible for:
- Sending server metrics (CPU, RAM, disk, network) to the platform every 60 seconds
- Receiving operation commands from the platform (restart service, run backup, execute an approved plan)
- Reporting operation results back to the platform
How the channel is secured
Mutual authentication
The agent and the platform authenticate each other on every connection. The agent has a unique identity registered with the platform during installation. The platform verifies the agent's identity before accepting any metrics or executing any commands.
Encrypted command transmission
All commands sent from the platform to the agent (including AI Pilot-proposed operations you have approved) are transmitted over the encrypted channel. An attacker intercepting the network traffic would see only encrypted data.
Post-quantum protection
The command channel uses ML-KEM-768 key encapsulation for the encryption key exchange — the same post-quantum standard described in KB-11-03. This means the channel is protected against future quantum computing attacks, not just today's classical computing threats.
Per-server PQC status is visible in Servers → [Server Name] → Security tab.
No inbound firewall ports required
The agent initiates the connection to the platform — not the other way around. This means your server does not need to open any inbound firewall ports for CloudAIPilot to work. The platform receives the agent's connection and issues commands over the established channel.
What can flow through the channel
From server to platform (outbound from your server):
- Server metrics (CPU, RAM, disk, network, load)
- Operation results and command output
- Agent health status and version
From platform to server (inbound to your server):
- Approved operation commands (service restarts, package installs, backup operations, etc.)
- Key rotation requests
What cannot flow through the channel:
- Raw file contents (unless explicitly requested for a specific AI File Access operation you approved)
- Database query results
- Secret values or credentials stored on the server
Key rotation
To rotate the agent's encryption keys (recommended periodically for high-security environments):
- Go to Servers → [Server Name] → Security tab.
- Click Rotate Keys.
- The platform and agent negotiate new encryption keys. The channel briefly reconnects using the new keys.
- The Security tab updates to show the new key registration date.
What success looks like
- The Security tab on each server shows Post-quantum encryption active status.
- No inbound firewall rules need to be created for CloudAIPilot.
- The agent reports metrics continuously (no gaps in the monitoring dashboard).
Common errors and fixes
"Security tab shows 'Classical fallback'" Cause: The agent is installed but has not completed PQC key registration. Fix: Click Activate Post-Quantum Encryption on the Security tab. The platform initiates the PQC key registration process.
"Security tab shows 'Agent not installed'" Cause: The monitoring and control agent is not running on this server. Fix: See KB-06-10 for agent installation instructions.
"Security tab shows 'Pending key registration'" Cause: PQC activation is in progress. This typically takes 30–60 seconds. Fix: Wait 60 seconds and refresh the page. If still pending after 5 minutes, click Activate again.