Security model
The agent is open source so that a security team can read exactly what runs on their boxes. This page summarizes the trust model. It is finance-grade by design, because the first clients include regulated finance.
Transport
One outbound WebSocket, TLS with certificate pinning. The agent pins the server's public key (the SPKI hash), not the CA chain, so the pinned endpoint and key are baked into the binary at build time and there is no server address in any on-host file to tamper with. The release and update URL is derived from the same pinned endpoint and uses the same pinned client.
Identity and the rotating key
Registration exchanges a shared team key for a per-server key and a UUID. The team key is used once and never written to disk. The per-server key authenticates the WebSocket and rotates every 7 days with a short overlap. A stolen host yields only its own short-lived, revocable key, not the team key. The server id is the UUID, never the hostname, so two hosts named the same do not collide.
Encryption at rest
The per-server key and local secrets are stored as AES-GCM ciphertext with a key bound to
the machine. The key derivation mixes the machine id with a root-only random seed file
(/etc/wakora/.seed, 0600), so a leaked ciphertext plus a known (world-readable) machine
id is not enough to decrypt. A copied identity or secrets file is useless on another box.
This is machine-id-bound, not TPM-backed, and the docs say so honestly.
Signed everything
- Definitions are ed25519-signed with the publisher key. The agent verifies the signature before running a definition. An invalid signature means the definition is rejected.
- Binaries are signed the same way. Self-update verifies SHA-256 and the ed25519 signature and refuses a downgrade. See Updates.
Least privilege
exec probes are restricted to an allow-list of binaries, with no shell. Secrets are
resolved locally and never sent to the server. The systemd unit is hardened
(ProtectSystem=strict, ReadWritePaths limited to the agent's own directories,
ProtectControlGroups). The agent runs as root today because Speed-2 features (eBPF,
ptrace, allow-listed exec) require it. Baseline mode stops probes from running but is not a
process-level privilege drop. See Baseline mode.
What leaves the host
Metrics, discovery facts, check results, events and traces. Not secret values. This local-only secret handling is a structural compliance edge over cloud SaaS agents.
Two-speed onboarding
The privilege boundary is also the paywall boundary. Speed 1 (baseline) is zero-privilege, zero-risk, and clears a security review fast. Speed 2 (deep and privileged) is opt-in per capability, each grant shown with its exact impact and audited. See Baseline mode.
Trust pack
To shorten a security review, Wakora ships a trust pack you can hand to a security team so they verify the claims themselves, before any certification is in place:
- a threat model, what the agent can and cannot do,
- an SBOM per release (CycloneDX, signed),
- a reproducible-builds attestation (pinned toolchain,
-trimpath, so anyone can rebuild the binary and match the signed release hash), - a data-flow document: metrics and names leave the host, secret values never do.
Because the agent is open source, a reviewer can also read exactly what runs on their boxes rather than take the pack on faith.