Devices & Fingerprints

A device is any server, VM, or container that needs secrets from FyVault.

What is a Device Fingerprint?

A fingerprint is a unique hardware identifier that proves a device is who it claims to be. It prevents:

• Device impersonation: Another server can’t pretend to be your production server
• Token replay: Even if someone steals a device token, they can’t use it from a different machine
• Unauthorized boot: Only registered devices with matching fingerprints can receive secrets

How to Get Your Fingerprint

Linux (EC2, VPS, bare metal)

sudo cat /sys/class/dmi/id/product_uuid
# Output: EC2F3A1B-4C5D-6E7F-8A9B-0C1D2E3F4A5B

Alternative (dmidecode)

sudo dmidecode -s system-uuid

macOS (for testing only)

ioreg -d2 -c IOPlatformExpertDevice | \
  awk -F\" '/IOPlatformUUID/{print $(NF-1)}'

Docker / Kubernetes

For containers, use the host machine's UUID or a stable identifier provided by your orchestrator.

Device Lifecycle

The FyVault Agent

The agent is a lightweight daemon that runs on your server:

curl -fsSL https://get.fyvault.dev | bash -s -- \
  --token YOUR_DEVICE_TOKEN \
  --cloud https://api.fyvault.dev

This command:

1. 1Checks system compatibility
2. 2Creates a dedicated system user with no interactive access
3. 3Installs the agent binary
4. 4Configures it to run as a system service
5. 5Requires elevated privileges at startup, then permanently drops them

System Requirements

Assigned Secrets

Each device receives only the secrets assigned to it. When the agent boots:

1. 1Authenticates with the cloud
2. 2Receives encrypted bundles for assigned secrets only
3. 3Securely stores them in kernel memory
4. 4Begins transparent injection based on secret types

You can assign and unassign secrets from the device detail page.