Identity Sentinel
The cryptographic identity core for autonomous agents.
What is Identity Sentinel?
Section titled “What is Identity Sentinel?”Identity Sentinel is the foundational security layer of SAP. It provides:
- Sealed Backups — Encrypted, tamper-evident identity snapshots
- Key Management — Hierarchical key architecture (RIK/OK/RK)
- Self-Description — Versioned formats for safe upgrades
- Offline Operation — No network dependencies for core functions
Why It Matters
Section titled “Why It Matters”In a world of autonomous agents, identity is everything:
- How does another agent know you’re who you claim to be?
- How do you prove continuity after a system restore?
- How do you recover from key compromise without losing everything?
Identity Sentinel answers these questions with cryptographic certainty.
Core Concepts
Section titled “Core Concepts”Sealed Backups
Section titled “Sealed Backups”A sealed backup is an encrypted snapshot of an agent’s identity state:
┌─────────────────────────────────────────────────────┐│ Sealed Backup │├─────────────────────────────────────────────────────┤│ Header (authenticated, not encrypted) ││ ├── format: "IdentitySentinel/SealedBackup" ││ ├── formatVersion: 1 ││ ├── createdAt: ISO timestamp ││ ├── cipher: { name: "aes-256-gcm" } ││ ├── kdf: { name: "scrypt", N, r, p } ││ ├── salt, iv (base64) ││ └── contentType │├─────────────────────────────────────────────────────┤│ Ciphertext (encrypted identity data) │├─────────────────────────────────────────────────────┤│ Auth Tag (GCM authentication) │└─────────────────────────────────────────────────────┘Key Properties:
- Self-describing: Contains all parameters needed for decryption
- Tamper-evident: AEAD authenticates both header and ciphertext
- Portable: JSON format works across platforms
Authentication Model
Section titled “Authentication Model”Master Key (passphrase) │ ▼ ┌─────────┐ │ scrypt │ (key stretching) └────┬────┘ │ ▼ 256-bit Key │ ▼ ┌───────────┐ │ AES-256- │ │ GCM │ Header as AAD └─────┬─────┘ │ ├──▶ Ciphertext └──▶ Auth Tag (integrity proof)Design Principles
Section titled “Design Principles”1. Offline-First
Section titled “1. Offline-First”Identity Sentinel operates without any network connectivity:
- No API calls to external services
- No blockchain transactions
- No paid infrastructure dependencies
This ensures your identity remains accessible even during network outages or in air-gapped environments.
2. Cost-Zero Operations
Section titled “2. Cost-Zero Operations”Core identity operations have zero marginal cost:
| Operation | Cost |
|---|---|
| Seal identity | $0 |
| Unseal identity | $0 |
| Verify backup | $0 |
| Generate keys | $0 |
3. Self-Describing Artifacts
Section titled “3. Self-Describing Artifacts”Every sealed backup includes:
- Format identifier and version
- Complete KDF parameters
- Timestamps for audit trails
- Content type for data interpretation
This enables:
- Safe upgrades: New versions can read old formats
- Cross-platform compatibility: Any implementation can process the artifact
- Debugging: All metadata visible for troubleshooting
4. Fail-Safe by Default
Section titled “4. Fail-Safe by Default”The system is designed to fail safely:
- Invalid keys → Authentication failure (no partial decryption)
- Corrupted data → Integrity check fails
- Unknown format → Explicit rejection with version info
Use Cases
Section titled “Use Cases”Agent Identity Backup
Section titled “Agent Identity Backup”const identity = { agent: "aura-assistant", version: "2026.1", publicKey: "did:key:z6Mk...", capabilities: ["web_search", "file_access", "messaging"]};
const sealed = sealIdentity(masterKey, identity);fs.writeFileSync('identity_backup.json', JSON.stringify(sealed));Credential Storage
Section titled “Credential Storage”const credentials = { apiKeys: { /* encrypted API keys */ }, certificates: { /* identity certificates */ }, rotationHistory: [ /* key rotation log */ ]};
const sealed = sealIdentity(masterKey, credentials);State Checkpoints
Section titled “State Checkpoints”const checkpoint = { timestamp: new Date().toISOString(), memoryDigest: "sha256:...", configHash: "sha256:...", lastKnownGood: true};
const sealed = sealIdentity(masterKey, checkpoint);Integration with Key Hierarchy
Section titled “Integration with Key Hierarchy”Identity Sentinel works with the Key Hierarchy:
┌─────────────────────────────────────────────────┐│ Key Hierarchy │├─────────────────────────────────────────────────┤│ RIK (Root Identity Key) ││ └── Signs rotations & recovery assertions ││ ││ OK (Operational Keys) ││ └── Daily operations, session auth ││ ││ RK (Recovery Key) ││ └── Offline, for emergency recovery │└─────────────────────────────────────────────────┘ │ ▼┌─────────────────────────────────────────────────┐│ Identity Sentinel │├─────────────────────────────────────────────────┤│ • Seals key material with master passphrase ││ • Creates tamper-evident backups ││ • Enables offline recovery │└─────────────────────────────────────────────────┘Security Considerations
Section titled “Security Considerations”Strengths
Section titled “Strengths”- Strong encryption: AES-256-GCM (NIST approved)
- Key stretching: scrypt resists brute-force
- Integrity protection: AEAD prevents tampering
- No key escrow: You control your keys
Limitations
Section titled “Limitations”- Key loss = data loss: No recovery without master key
- No forward secrecy: Same key for all sealed data
- Memory requirements: scrypt needs ~256MB RAM
Recommendations
Section titled “Recommendations”- Strong passphrases: Use 20+ character high-entropy keys
- Multiple backups: Use Shadow Replica for redundancy
- Regular rotation: Create new sealed backups periodically
- Secure storage: Protect backup files and manifests
Related
Section titled “Related”- Key Hierarchy — RIK/OK/RK architecture
- PID Structure — Public Identity Documents
- Sentinel Core API — Implementation reference
- Shadow Replica — Distributed backups