Craton HSM
Enterprise Licensing
Enterprise Licensing
Craton HSM Enterprise is distributed under the Business Source License 1.1 (BSL 1.1). BSL is a source-available license: the source is published, you can read and modify it, and there is a deterministic path to Apache-2.0 — but until a version's Change Date, production competing use requires a commercial license from Craton Inc.
The Apache-2.0 core (craton-hsm-core) is unaffected by this page.
Source-Available vs. Open-Source
BSL 1.1 is not an OSI-approved open-source license. The practical differences for Enterprise are:
- Source code is public and modifiable for internal, academic, and non-commercial use.
- Competing use of an unconverted version requires a commercial license.
- On the per-version Change Date, that version automatically converts to Apache License 2.0 and may then be used for any purpose.
If you are building an open-source project that merely consumes Craton HSM Enterprise as a dependency and does not generate revenue, you are inside the BSL Additional Use Grant — see "What Is and Is Not Competing Use" below.
The Change Date Clock
For every released version of Enterprise, the Change Date is fixed at release time and does not move with later releases. It is the earlier of:
- Four years after that version's first public Git tag, or
- A hard cap of 2030-03-13, which is four years after the initial
0.1.0release on 2026-03-13.
The hard cap guarantees every 0.x release converts to Apache-2.0 no later
than 2030-03-13, regardless of how many patch releases ship between now and
then.
| Version | BSL Start | Change Date | Change License |
|---|---|---|---|
| 0.1.0 | 2026-03-13 | 2030-03-13 | Apache-2.0 |
| 0.1.1 | 2026-04-17 | 2030-03-13 | Apache-2.0 |
Each new release appends a row. The Change Date encoded in that version's
LICENSE-BSL file at release time is immutable.
Competing Use, Defined
A "Competing Use" is any use of Enterprise to provide a product or service that competes with Craton HSM. The BSL text lists, without limitation:
- Providing an HSM, KMS, cryptographic appliance, or certificate authority product offered to third parties.
- Providing a managed or hosted cryptographic key-management or signing service.
- Creating, distributing, or selling a product whose primary function is cryptographic key storage, key management, or cryptographic operations.
- Providing FIPS 140-validated or Common Criteria-certified cryptographic services using Enterprise as a component.
- Offering consulting, integration, or support services for Enterprise to third parties without a commercial license from Craton Inc.
What IS Permitted Without a Commercial License
The license grants these uses explicitly:
- Internal evaluation, development, and testing. Running Enterprise inside your own infrastructure to evaluate it or to build against it.
- Non-commercial open-source projects. Projects that do not generate revenue may depend on Enterprise.
- Academic and research use. Teaching, coursework, and published research.
- Dependency use in non-crypto products. Using Enterprise inside an application where cryptographic key management is not the primary function. Example: a web application that happens to store session signing keys in Craton HSM is not a "Competing Use" because the web application is not itself a key-management product.
- Personal or hobby projects with no commercial distribution.
What IS a Competing Use
These uses require a commercial license before the Change Date:
- Shipping a key-management SaaS backed by Enterprise.
- Selling a signing appliance, smart-card middleware, or code-signing service in which Enterprise does the cryptographic work.
- Offering a managed PKI / CA service built on Enterprise.
- Embedding Enterprise in a product and pursuing FIPS or Common Criteria validation for resale.
- Selling third-party consulting, integration, or support contracts scoped to Enterprise.
When in doubt, the governing question is: does the product or service I am
offering compete with a Craton HSM product or with a product whose primary
function is cryptographic key management? If yes, contact
licensing@craton.io before deployment.
Commercial Licensing Path
Commercial licenses are available from Craton Inc. and typically cover:
- Redistribution inside a commercial HSM / KMS / signing product.
- Managed-service and SaaS deployments.
- FIPS 140 and Common Criteria validation projects that use Enterprise as a validated component.
- Support, integration, and consulting scoped to Enterprise.
For pricing and terms, email licensing@craton.io.
Practical Effects of the BSL Clock
- Any version you deploy today converts to Apache-2.0 by 2030-03-13 at the latest. Once converted, that version may be used for any purpose, including competing use.
- Later versions have their own Change Dates. Upgrading from a converted version to a newer BSL version re-enters the BSL terms for that newer version.
- Each version's license file carries its own Change Date. When in doubt,
read the
LICENSE-BSLin the version you are running.
Related Documents
- Enterprise overview — what Enterprise adds.
- Licensing change notice (
LICENSE-CHANGE) — authoritative per-version Change Date table. - Business Source License 1.1 text (
LICENSE-BSL) — full license text.