Every ProxyPass node has an identity derived from the CPU ID of the machine it runs on. This identity is not a random UUID generated at install time. It is deterministic — the same hardware always produces the same node ID.
Why This Matters
Because it prevents a class of attacks that software-only identities cannot stop.
If node IDs were random UUIDs stored in a configuration file, cloning a machine would clone its identity. Someone copies the disk of a legitimate node to another machine, and now two devices claim to be the same node. With software-only identity, both would appear valid.
With hardware-bound IDs, the clone generates a different node ID because it runs on different hardware. It cannot impersonate the original node. If the clone tries to register, it appears as a new, unauthorized device — which a protected group would reject outright.
Scenario: The Stolen Laptop
An employee's laptop has a ProxyPass node installed — providing access to internal infrastructure while working remotely. The laptop is stolen from a hotel room. The thief extracts the disk and mounts it on a different machine, hoping to access the company's network through the ProxyPass tunnel.
The stolen configuration includes the API key. But when the thief's machine runs the node, it generates a different node ID from its own CPU. The ProxyPass cloud sees an unknown node trying to authenticate — it does not match any registered device. If the group is protected, the registration is rejected. If the group uses individual keys, the key does not match the hardware ID. The stolen credentials are useless.
Meanwhile, the company blocks the original node from the dashboard. Even if the original laptop is powered on, it is quarantined. Two layers of protection, both working independently.
Inventory Guarantee
For fleet operators, hardware-bound IDs provide an inventory guarantee. Every node in your dashboard corresponds to a specific, physical piece of hardware. Node count equals device count. There is no way to inflate the fleet by cloning machines or sharing configuration files.
Combined with individual API keys and protected groups, hardware-bound IDs create a multi-layered identity system. The hardware ensures uniqueness. The API key ensures authorization. Protected groups ensure explicit registration. All three would need to be compromised simultaneously to gain unauthorized access.