I was thinking the same. Perhaps if the setup procedure included a limited-access account that could only run useradd/userdel, I'd consider trying it, but definitely not while root.
Thanks for the feedback. For the one-time server enrollment process, would you be more comfortable having us set up a limited account using a script we provide? We were thinking that there's not necessarily a whole lot of difference between a user who has useradd permissions and a user with root permissions.
Also, we set up Bastio so that we don't have unattended access to your servers. We keep everything encrypted until the moment when we need the keys for account provisioning or keypair deployment.
I'm not sure I'd even go that far. A set of commands showing how to lock down account permissions would work just as well, while allowing me to remain in control. That is a good point though, as Bastio would be able to create unrestricted administrative users anyway.
Where are your encryption keys stored in relation to our connection data?
There are multiple layers of encryption and the keys are distributed in such a way that the client must login and provide the data facet we store in the browser. The combination of this and other data facets provides the combination that unlocks the private key we use to conduct deployments.
Also, we set up Bastio so that we don't have unattended access to your servers. We keep everything encrypted until the moment when we need the keys for account provisioning or keypair deployment.