Craton HSM

Enterprise Overview

Enterprise Overview

Craton HSM Enterprise is a source-available add-on bundle that sits on top of the Apache-2.0 core. It supplies the pieces a production HSM deployment needs that are out of scope for the core library: FIPS-validated crypto, vendor hardware backends, enterprise identity, multi-node replication, KMIP, cloud integrations, and FIPS 140-3 certification tooling.

Enterprise is distributed under the Business Source License 1.1. Each version automatically converts to Apache-2.0 four years after release, or on 2030-03-13, whichever comes first.

What Enterprise Adds

Every Enterprise crate implements or composes with the CryptoBackend trait defined in craton-hsm-core. Application code stays backend-agnostic: swapping RustCryptoBackend for AwsLcBackend buys FIPS validation, and swapping it for Pkcs11PassthroughBackend pushes key material into a hardware token.

                           Apache-2.0 core
                      +----------------------+
                      |     craton-hsm       |
                      |  CryptoBackend trait |
                      |  PKCS#11 ABI, audit  |
                      +----------+-----------+
                                 |
         +-----------------------+---------------------+
         |                       |                     |
  Software backends       Hardware backends    Enterprise services
  (BSL 1.1)               (BSL 1.1, `hw`)      (BSL 1.1)
  - craton-hsm-awslc      - craton-hsm-nxp     - craton-hsm-auth
  - craton-hsm-openssl    - craton-hsm-infineon - craton-hsm-cluster
  - craton-hsm-cng        - craton-hsm-pkcs11  - craton-hsm-kmip
                                                - craton-hsm-cloud
                                                - craton-hsm-certified

Crate Matrix

CrateRoleDefault buildHardware / external dep
craton-hsm-awslcFIPS-validated software crypto via aws-lc-rsAvailableGo 1.21+ at build time for fips feature
craton-hsm-opensslNon-FIPS crypto over system OpenSSL 3AvailableOpenSSL 3.x headers and libraries
craton-hsm-cngWindows CNG / BCrypt crypto, FIPS-dispatch modeAvailable (Windows only)Windows 10 / Server 2016 or newer
craton-hsm-pkcs11Passthrough to vendor PKCS#11 tokensAvailableVendor PKCS#11 .so / .dll
craton-hsm-authRBAC, LDAP, cert, MFA, OIDC, tenants, dual-controlAvailableOptional per-provider features
craton-hsm-clusterRaft consensus, replication, snapshots, healthAvailableTokio runtime, fsync-capable FS
craton-hsm-kmipKMIP 1.4-subset server, TTLV codecAvailableTLS terminator with mTLS
craton-hsm-cloudKubernetes CSI, AWS/Azure/Vault shimsReference / mockDouble opt-in for mock backends
craton-hsm-nxpNXP HSE backend for S32G / S32K3Available (stub without hw)NXP HSE SDK for hw feature
craton-hsm-infineonInfineon SLB 9670 / 9672 TPM 2.0 backendAvailable (stub without hw)libtss2-esys 4.0+ for hw feature
craton-hsm-certifiedReproducible builds, CMVP artifacts, ACVP harnessAvailableNIST ACVP vectors (external)

See the compatibility matrix for tested OS, toolchain, and vendor library versions.

Build and Feature-Flag Model

All Enterprise crates share a single Cargo workspace and a common MSRV of Rust 1.75. The crates pull the core library in as a sibling directory; clone both repositories side by side:

craton-hsm/
  craton-hsm-core/        Apache-2.0, upstream
  craton-hsm-enterprise/  BSL 1.1, this workspace

A default build is safe to run end-to-end against software crypto:

cargo build --workspace
cargo test --workspace
cargo clippy --workspace -- -D warnings

Feature flags opt into functionality that has external dependencies, extra runtime cost, or deliberate operational risk. The full feature surface is:

CrateFeaturePurpose
craton-hsm-awslcfipsBuild aws-lc-rs in FIPS mode (needs Go 1.21+)
craton-hsm-authldap-authLDAP / Active Directory provider
craton-hsm-authoidc-authOpenID Connect provider
craton-hsm-authcert-authX.509 client certificate provider
craton-hsm-nxphwLink NXP HSE host library, enable real HSE calls
craton-hsm-infineonhwLink libtss2-esys, enable real TPM 2.0 calls
craton-hsm-cloudmock-insecure-do-not-shipExpose in-memory mock backends (testing only)
craton-hsm-kmipinsecure-static-tokenSingle-token KMIP auth (testing only)
craton-hsm-clusterinsecure-no-cluster-secretBuild a cluster node without an HMAC key (testing only)

The insecure-* and mock-* features are double-gated: they require both the compile-time feature and an environment variable (CRATON_HSM_ALLOW_INSECURE_STATIC_TOKEN=1 or CRATON_HSM_ALLOW_MOCK=1) at process start, so an accidentally-featured binary still refuses to run in insecure mode.

When to Choose Enterprise

Pick Enterprise when any of the following apply:

  • You need FIPS 140-3 validation, or you build for a market that requires it. craton-hsm-awslc with the fips feature is the intended FIPS boundary.
  • You need an enterprise identity provider: LDAP / Active Directory, OIDC, mTLS-based client-cert auth, MFA, or dual-control for destructive operations.
  • You want multi-tenant key isolation with per-tenant quotas.
  • You deploy an HA cluster and need Raft-based key replication, snapshots, and authenticated inter-node RPCs.
  • You need a KMIP endpoint so existing clients can use Craton HSM without code changes.
  • You run on Kubernetes and want a CSI driver, or you are integrating with AWS KMS / Azure Key Vault / HashiCorp Vault surfaces.
  • You target a vendor HSM (Thales Luna, Entrust nShield, AWS CloudHSM, YubiHSM, SoftHSM2) via PKCS#11, or embedded hardware (NXP HSE, Infineon TPM 2.0).
  • You are preparing a CMVP submission and need the reproducible-build, ACVP harness, and binary-signing tooling that lives in craton-hsm-certified.

If none of those apply, the Apache-2.0 core alone is sufficient, and avoids the BSL competing-use restriction.

Status Summary

  • Production-ready: craton-hsm-awslc (with and without fips), craton-hsm-openssl, craton-hsm-cng, craton-hsm-pkcs11, craton-hsm-auth, craton-hsm-cluster, craton-hsm-kmip, craton-hsm-certified.
  • Pre-release hardware backends: craton-hsm-nxp and craton-hsm-infineon. The stub builds (default) are stable; the hw feature has not been validated end-to-end against production firmware.
  • Reference / mock: craton-hsm-cloud. The in-tree implementations are mocks behind a double opt-in. Production deployments are expected to re-implement the public traits against real transport stacks.

Related Documents