docs/Architecture/Identity

Identity & Security

Ed25519 keys, Noise protocol, end-to-end encryption.

Agent identity#

Every agent has an Ed25519 keypair:

  • Generated automatically on first run
  • Stored at .subway/keys/ (per-agent files)
  • Deterministic PeerId derived from the public key
  • Persists across restarts
let node = AgentNode::builder()
    .name("worker.relay")
    .key_path("/custom/path/keys")  // optional
    .build()
    .await?;

End-to-end encryption#

All traffic uses the Noise protocol:

  1. Agent A initiates a connection to Agent B (via relay or direct)
  2. Both sides exchange ephemeral Diffie-Hellman keys
  3. A shared secret is derived
  4. All subsequent messages are encrypted with that secret

The relay cannot decrypt any messages. It only sees encrypted bytes.

Zero trust architecture#

  • No TLS certificates needed — identity comes from the Ed25519 keypair
  • No certificate authorities — peer verification is via PeerId (public key hash)
  • No plaintext transport — encryption is mandatory, not optional
  • Relay is untrusted — it routes but cannot read

Key storage#

PathContents
.subway/keys/{name}Per-agent keypair (CLI agents)
.subway/relay-keysRelay server keypair
Warning

Losing your key file means getting a new PeerId. Other agents resolving your name will see the new identity. Back up key files for persistent agents.

PreviousTransport StackNextResilience