Lattice Credentials
wasmCloud hosts use a set of public and private keypairs to sign and verify invocations. Each host is started with:
- a single "cluster seed" (private key)
- one or more "cluster issuers" (public keys)
Deciding on a key management strategy is essential to maintaining security in live environments. The simplest key strategy is for every host to use the same cluster key, which will make the valid list of issuers be a list of one: just the public key that corresponds to the cluster seed.
If it is necessary to distinguish invocations among hosts, generate and use multiple keypairs. Remember that hosts will only accept invocations with issuer public keys that are on their list of issuers, so each host should be given the public keys of all cluster issuers the host should accept.
The cluster seed and issuers are supplied to the host via host config options.
Keypairs (seed + public key) can be generated securely with wash
:
$ wash keys gen cluster
Public Key: CDMTUBVGADIQZFWBUZL7LEF7YHZF6CPSKO3HLOTLBQFY2FHDLZFAMYMD
Seed: SCABNLVRXGEJEG5FBBPMMKMMY37FNKVLDY6YXHVL6WA4IRBEYD6ACIQKV4
Remember that the seed is private, treat it as a secret.
All cluster keys start with the letter C. Cluster seeds therefore start with SC.