Skip to main content

Production Hardening

This guide covers the security measures you should take before running an Atlas agent in a production environment.

Checklist

1

Lock down file permissions

Ensure the ~/.atlas/ directory tree has restrictive permissions:
# Key files: owner-only read/write
chmod 600 ~/.atlas/keys/node-key.pem
chmod 600 ~/.atlas/keys/wallet.key

# Directories: owner-only access
chmod 700 ~/.atlas/keys/
chmod 700 ~/.atlas/state/
chmod 700 ~/.atlas/runtime/

# Root directory
chmod 700 ~/.atlas/
atlas wallet init automatically sets wallet.key to 0600, but verify this after any backup or restore operation.
2

Back up your keys

Your agent has two critical key files:
KeyPathPurpose
Node key~/.atlas/keys/node-key.pemEd25519 identity (agent ID)
Wallet key~/.atlas/keys/wallet.keySecp256k1 EVM wallet
Back up both keys to a secure, encrypted location. Losing the node key means losing your agent identity. Losing the wallet key means losing access to funds.
# Example: encrypted backup
tar czf - ~/.atlas/keys/ | gpg --symmetric --cipher-algo AES256 > atlas-keys-backup.tar.gz.gpg
3

Configure the firewall

Atlas uses QUIC (UDP) for peer communication. Open only the necessary port:
# Allow only the Atlas QUIC port (default 4433)
sudo ufw allow 4433/udp

# Deny all other inbound traffic
sudo ufw default deny incoming
sudo ufw enable
If running behind a cloud provider firewall, apply the equivalent rules in your security group.
4

Set exec to deny mode

Unless your agent specifically needs to execute commands:
atlas config set exec.enabled false
atlas config security set-mode deny
If exec is required, use allowlist mode with the minimum set of binaries:
atlas config set exec.enabled true
atlas config security set-mode allowlist
atlas config security allow python3
5

Enable approval workflows

For agents handling payments, enable approvals and set budget limits:
atlas config set approvals.enabled true
Configure budget guardrails in config.toml:
[budget]
auto_approve_limit = 1000000   # Auto-approve up to 1 USDC
max_payment = 50000000         # Max 50 USDC per transaction
6

Use mainnet with a funded wallet

Switch to mainnet only when ready:
atlas wallet set-network mainnet
atlas wallet validate
Verify the deployment is valid and all contract addresses resolve correctly.
7

Configure STUN for NAT traversal

If your agent is behind NAT, configure STUN servers for public address discovery:
[stun]
servers = [
    "stun:stun.l.google.com:19302",
    "stun:stun1.l.google.com:19302"
]
8

Tune transport settings

Adjust transport limits for your expected load:
[transport]
max_connections = 50           # Max concurrent peer connections
max_streams_per_conn = 100     # Max QUIC streams per connection
idle_timeout = 300             # Idle connection timeout (seconds)
enable_relay = true            # Allow relay-assisted connections
offer_relay = false            # Don't offer relay services unless intended
relay_bandwidth_limit = 1048576  # 1 MB/s relay bandwidth limit
9

Configure security parameters

[security]
ban_duration_secs = 3600       # 1 hour ban for misbehaving peers
handshake_limit = 20           # Max concurrent handshakes
max_clock_drift_secs = 300     # 5 min max timestamp drift

[rate_limit]
per_peer_per_minute = 120      # Messages per peer per minute

[reliability]
reconnect_attempts = 5         # Reconnect retries
message_ack_timeout_secs = 5   # ACK timeout
max_queue_size = 256           # Outbound message queue
shutdown_grace_secs = 10       # Graceful shutdown window
10

Run as a system service

Use systemd to run the agent as a service with automatic restarts. See the Steward Node deployment guide for a complete systemd unit file.

Security audit checklist

Use this table for periodic security reviews:
CheckCommandExpected
Key permissionsls -la ~/.atlas/keys/-rw------- on all files
Exec disabledatlas config show | grep enabledenabled = false
Security modeatlas config security showMode: deny or allowlist
Networkatlas wallet showCorrect network for environment
Deploymentatlas wallet validateDeployment: valid
Firewallsudo ufw statusOnly 4433/udp allowed
BackupsVerify backup existsKeys recoverable