WoSP and AMTD¶
What is WoSP?¶
WoSP (Workload Security Proxy) is an Envoy WASM filter that runs as a sidecar container (xtra-wasm) in every blueprint pod. It intercepts all inter-pod traffic and handles authentication and encryption automatically. Engineers configure it via secrets in 02-secrets.yaml; after that, it operates without intervention.
From your application's perspective, WoSP is invisible. Your app.py sends messages to localhost:<egress_port>; WoSP intercepts them, applies Zero Trust identity verification, encrypts the payload, and forwards to the destination pod. Inbound messages are decrypted and verified by WoSP before your app ever sees them.
What is AMTD?¶
AMTD (Automated Moving Target Defense) is the key rotation mechanism WoSP uses to prevent credential theft. Every 5–30 seconds, WoSP generates a new workload identity and invalidates the previous one. An intercepted credential becomes worthless within seconds — before an attacker can make use of it.
This is distinct from traditional certificate rotation, which typically happens on a schedule of days or months. AMTD operates on a sub-minute cycle, making the attack window practically zero.
Two WoSP modes¶
| Mode | Technical Name | Key Rotation Scope | Best For |
|---|---|---|---|
| Armored Tunnel | xtra4 | Per TCP session | WebSocket, gRPC, persistent connections |
| Armored Car | xtra7 | Per HTTP request | REST APIs, external-facing gateways |
The mode is set at composition time and is reflected in the blueprint's CHIPS_ALGORITHM credential. You do not configure it directly — the blueprint manifests contain the complete WoSP configuration for the chosen mode.
Credentials WoSP needs¶
Three credentials are required for WoSP to initialize:
| Credential | Purpose |
|---|---|
HOPR_LICENSE | Validates the customer's license against the Hopr service |
HOPR_KEY | The workload's base identity key used for AMTD rotation |
CHIPS_ALGORITHM | Specifies the WoSP operating mode (xtra4 or xtra7) |
A fourth credential, HOPR_API_TOKEN, is used for runtime API calls during AMTD rotation. All four are injected into 02-secrets.yaml at delivery time.
Tip
You do not configure WoSP directly. The blueprint manifests contain the complete WoSP configuration. Your job is to fill in the credentials and deploy.