Reinventing Non-Human Identities with Kernel TLS

At Riptides, we’re reshaping how non-human identities (NHIs) are managed and secured. In a world where AI agents, microservices, and containers constantly evolve and communicate, traditional identity systems—based on static or half-dynamic credentials and manual configurations—are no longer enough.

Our solution introduces a custom Linux kernel module, seamlessly integrated with a user space agent and a centralized control plane that serves as the root Certificate Authority (CA). Together, they establish SPIFFE IDs and enforce mutual TLS (mTLS) via kernel TLS (kTLS) possible between all components of your system, ensuring each process is uniquely identified and securely connected.

The Challenge: Identity in Motion

Modern applications, especially AI agents, are inherently dynamic. They scale on demand, shift workloads, and communicate across distributed systems. Managing identity in this fast-moving environment presents several key challenges:

• Scalability: Supporting large volumes of transient processes requires an identity system that scales effortlessly.
• Security: Manual credential handling introduces risk through human error.
• Automation: Rapid provisioning and deprovisioning of services demand a hands-off approach to identity management.

The Riptides Solution: Dual-Layer Identity Architecture

We tackle these challenges with a tightly integrated system that combines kernel-level security with user space flexibility.

Kernel Module with kTLS: Secure by Design

Our Linux kernel module anchors identity at the system level, offering deep integration that makes security unavoidable and invisible to the application layer.

• Socket Lifecycle Interception: The module hooks directly into the socket creation process, intercepting every connection and ensuring it carries secure identity metadata from the outset.
• SPIFFE ID Assignment: In tandem with the user space agent, the module assigns unique, standardized SPIFFE IDs to each process, providing consistent identity across distributed systems.
• mTLS with Hardware Acceleration: Leveraging kTLS, mutual TLS handshakes and encryption operations are offloaded to the kernel and accelerated using hardware capabilities. This reduces latency while preserving high security standards.
• Dynamic Identity Updates: As policies evolve, the kernel module dynamically propagates changes to relevant processes, minimizing risk exposure and ensuring continuous compliance.

User Space Agent and Control Plane: Policy and Authority

While the kernel handles the heavy lifting, our user space agent and control plane provide centralized coordination and policy enforcement.

• User Space Agent: Acts as a bridge between the kernel and control plane, synchronizing identity data and managing logs, policy updates, and lifecycle events.
• Policy Framework: Defines how identities are assigned and who can talk to whom. Rules are authored centrally and distributed securely, enabling fine-grained control over inter-process communication.
• Control Plane (Root CA): Issues and manages SPIFFE-linked certificates. It oversees provisioning, renewal, and revocation through continuous interaction with the user space agent, ensuring credentials remain current and trustworthy.

Open, Efficient, Trusted Kernel Component

Because the kernel module plays a critical role, trust and transparency are essential. We plan to open-source the module, allowing users to build it using DKMS or download attested binaries from our repository.

• Performance Optimization: Operating in kernel space reduces overhead and latency. Offloading cryptographic operations to kTLS improves performance, freeing applications to focus on their core logic.
• Real-Time Enforcement: Security policies are updated and enforced in real time, keeping all system processes aligned with the latest configurations.
• Seamless Integration: Applications benefit from secure communication channels without needing to implement mTLS logic themselves. Everything happens under the hood.

Perfectly Suited for AI Agents

AI agents are an ideal use case for our architecture, given their need for speed, adaptability, and security.

• Instant Provisioning: Automated identity issuance allows agents to come online securely in seconds.
• Adaptive Trust: Real-time updates ensure that even as agents change behavior or context, they remain properly authenticated.
• Minimal Overhead: Hardware-accelerated mTLS keeps communication fast and secure.
• Controlled Communication: Our policy framework enforces strict boundaries, allowing only authorized interactions among agents.

Conclusion: Identity at the OS Layer

Riptides is redefining non-human identity by embedding trust deep into the operating system. Through the use of SPIFFE IDs, kernel-based mTLS, and a dynamic policy framework governed from a centralized control plane, we deliver a solution that is secure, scalable, and built for the fluid demands of modern software — especially the fast-growing world of AI.

By anchoring identity in the kernel and orchestrating it via a flexible user space layer, we’re creating a foundation where secure communication is the default, not an afterthought.

We’d love your feedback. Let’s shape the future of identity together.