Process Hash Attestation: Process Hash Attestation is an Aembit feature that calculates the SHA-256 hash of a workload's executable binary at runtime and embeds it in token claims, enabling zero-trust verification that only approved binaries can access protected resources.Learn more enables strong Workload: Any non-human entity (application, service, automation, etc.) that needs to access resources.Learn more (process) attestation. It’s for those who require verification of a client workload’s executable binary. This feature allows the SHA-256 hash of the workload’s binary in the subject claim of tokens. These tokens include JWT-SVID: A SPIFFE Verifiable Identity Document in JWT format. JWT-SVIDs are cryptographically signed, short-lived tokens that prove workload identity and enable secure authentication without static credentials.Learn more, OIDC ID Token, or Vault Client Token. This enables organizations to apply strong zero-trust controls. Only approved binaries can access protected services.
Key concepts
Section titled “Key concepts”-
Runtime hash collection - Aembit dynamically collects the hash and inserts it into the token at runtime.
-
Process Hash Attestation - Aembit calculates the SHA-256 hash of the workload binary at runtime. It includes this hash in the token claims, allowing policies to enforce access only for known, approved binaries.
-
Dynamic Claims - Configure Credential Provider: Credential Providers obtain the specific access credentials—such as API keys, OAuth tokens, or temporary cloud credentials—that Client Workloads need to authenticate to Server Workloads.Learn more (JWT-SVID, OIDC ID Token, Vault Client Token) to include the process hash in dynamic subject or custom claims, for example:
Terminal window spiffe://trust-domain-name/path/${client.executable.hash.sha256} -
SPIFFE: Secure Production Identity Framework For Everyone (SPIFFE) is an open standard for workload identity that provides cryptographically verifiable identities to services without relying on shared secrets.Learn more(opens in new tab) Integration - Aembit embeds the process hash in the SPIFFE ID. This supports integration with Entra ID and other SPIFFE-aware systems.
How process hash attestation works
Section titled “How process hash attestation works”- Configuration - An administrator configures a Credential Provider to use a dynamic claim. This claim references the process hash variable.
- Policy Directive - Aembit Cloud: Aembit Cloud serves as both the central control plane and management plane, making authorization decisions, evaluating policies, coordinating credential issuance, and providing administrative interfaces for configuration.Learn more instructs the Agent Proxy to collect the process hash.
- Hash Collection - The Agent Proxy locates the binary for the proxied process. It calculates the SHA-256 hash and sends it to Aembit Cloud.
- Token Issuance - Aembit Cloud generates a token. It inserts the hash value into the configured claim (subject or custom claim).
- Verification - Downstream services or identity providers (for example, Entra ID) verify the hash. They check against an approved list, enforcing zero-trust access.
Supported Credential Providers
Section titled “Supported Credential Providers”Example
Section titled “Example”A dynamic subject claim might look like:
spiffe://trust-domain-name/path/${client.executable.hash.sha256}If the hash is e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, the resulting claim would be:
spiffe://trust-domain-name/path/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Pre-calculating the executable hash
Section titled “Pre-calculating the executable hash”To verify your configuration or troubleshoot issues, you can manually calculate an executable’s SHA-256 hash. The Agent Proxy always provides the hash in lowercase, which matters for systems like Azure Entra ID that consume it.
Use Get-FileHash and convert to lowercase:
$hash = (Get-FileHash <path-to-executable>).Hash.ToLower()Write-Output $hash# Output: aca992dba6da014cd5baaa739624e68362c8930337f3a547114afdbd708d06a4Use sha256sum:
sha256sum $(which <executable>)# Output: aca992dba6da014cd5baaa739624e68362c8930337f3a547114afdbd708d06a4 /path/to/executableImplementation flow
Section titled “Implementation flow”-
Admin configures a JWT-SVID, OIDC ID Token, or Vault Client Token Credential Provider. Use a dynamic subject or dynamic custom claim containing
${client.executable.hash.sha256}. -
Aembit Cloud instructs the Agent Proxy to collect the process hash.
-
The Agent Proxy sends the hash to Aembit Cloud.
-
Aembit Cloud generates the token and inserts the
${client.executable.hash.sha256}value. This results in a claim like:spiffe://trust-domain-name/path/ABC123456
Diagram
Section titled “Diagram”The following diagram illustrates the process hash attestation workflow:
Limitations
Section titled “Limitations”- Supported Binaries - Only native compiled binaries (for example, C++, Go) work in this release. Interpreted scripts (Python, Bash, etc.) and VM-based applications (Java, .NET) aren’t yet supported.
- Platform Support - Process assessment gathering isn’t supported on Windows VMs.
- Hash Algorithm - Aembit uses SHA-256 initially.
- Caching - Aembit performs hash calculation at runtime for security. If Aembit introduces caching, it documents its limitations.
Security and compliance
Section titled “Security and compliance”- Zero-Trust Enforcement - Only binaries with approved hashes can access protected resources.
- Runtime Attestation - Aembit calculates hashes at runtime to prevent tampering.
- Auditing - Aembit logs process hash-based attestation events for compliance and auditing.