Craton HSM
License
License
Craton HSM ships as two repositories under two different licenses. This page explains what each license allows, how the Contributor License Agreement fits in, and where to find the third-party license inventory.
Nothing on this page is legal advice. For anything beyond the
summary — especially if you are planning a commercial deployment of the
Enterprise crates — consult the actual LICENSE files in each
repository, and contact licensing@craton.io when in doubt.
Summary
| Component | License | SPDX identifier | File |
|---|---|---|---|
craton-hsm-core | Apache License 2.0 | Apache-2.0 | craton-hsm-core/LICENSE |
craton-hsm-enterprise | Business Source License 1.1 | BUSL-1.1 | craton-hsm-enterprise/LICENSE-BSL |
| Enterprise change notice | Apache-2.0 post-Change-Date | — | craton-hsm-enterprise/LICENSE-CHANGE |
Core — Apache-2.0
craton-hsm-core is licensed under the Apache License, Version 2.0. In
summary, the license grants:
- Commercial use, including in proprietary products.
- Modification and redistribution, both as source and as binary.
- Sublicensing.
- A patent grant from the contributor to downstream users covering patents necessarily infringed by the contribution.
You must:
- Preserve copyright and license notices.
- State significant changes made to the source.
- Include a copy of the Apache-2.0 license with any redistribution.
- Not use the "Craton" or "Craton HSM" trademarks in a way that implies endorsement — see governance.
Apache-2.0 is OSI-approved open-source. There is no dual license on the
Core repository; every file is Apache-2.0. See
craton-hsm-core/LICENSE
for the full text.
Enterprise — BSL-1.1 (Source-Available)
craton-hsm-enterprise is licensed under the Business Source License
1.1. BSL-1.1 is source-available, not OSI open-source. The Licensor
is Craton Inc.
Permitted non-production use
You can, without a commercial license:
- Internally evaluate, develop, and test against the Enterprise crates.
- Use them in non-commercial open-source projects that do not generate revenue.
- Use them for academic and research purposes.
- Use them as a dependency in applications where cryptographic key management is not the primary function of the application.
- Use them in personal or hobby projects without commercial distribution.
Competing Use — requires a commercial license
A Competing Use is any use of the Enterprise workspace to provide a product or service that competes with Craton's offerings. Without limitation, this includes:
- Providing an HSM, KMS, cryptographic appliance, or certificate authority product to third parties.
- Providing a managed or hosted cryptographic key-management or signing service.
- Creating, distributing, or selling a product whose primary function is cryptographic key storage, key management, or cryptographic operations.
- Providing FIPS 140-validated or Common-Criteria-certified cryptographic services using the Enterprise crates as a component.
- Offering consulting, integration, or support services for the Enterprise crates to third parties.
Any of those uses requires a commercial license from Craton Inc. Contact
licensing@craton.io.
Automatic conversion to Apache-2.0
Each released version auto-converts to Apache-2.0 on its Change
Date — the earlier of four years after that version's Git tag date
and a hard cap of 2030-03-13 (four years after the initial 0.1.0
release). The Change Date is fixed per version at the time of release
and does not shift with later patches.
| Version | Release date | Change Date | Change License |
|---|---|---|---|
| 0.1.0 | 2026-03-13 | 2030-03-13 | Apache-2.0 |
| 0.1.1 | 2026-04-17 | 2030-03-13 | Apache-2.0 |
New releases append rows to this table. Each entry's Change Date is the
value encoded into that version's LICENSE-BSL at release time and is
immutable thereafter.
From a version's Change Date forward, that specific version can be used for any purpose under Apache-2.0 terms, including commercial production. The hard cap ensures the entire 0.x series converts no later than 2030-03-13, independent of how many patch releases occur.
Why a source-available licence?
The competing-use carve-out is what funds ongoing development of the
Enterprise integrations that most shops do not want to re-implement —
LDAP, OIDC, KMIP, Raft clustering, CSI, CNG, hardware vendor SDKs — and
the FIPS certification effort in particular. The automatic conversion
ensures that no version of the workspace is locked up permanently; BSL
is a time-delayed open-source licence, not a proprietary one. See the
Enterprise README.md license section for Craton's own statement of
intent.
Contributor License Agreement
All contributors to either repository sign the Craton Inc. Contributor License Agreement (CLA) before their first pull request can be merged. This is a one-time requirement per GitHub account, signed via the CLA Assistant bot comment on the PR itself.
The CLA grants Craton Inc. two things:
- Copyright licence. A perpetual, worldwide, non-exclusive, royalty-free, irrevocable copyright licence to reproduce, modify, distribute, sublicense, and prepare derivative works of your contribution.
- Patent licence. A perpetual, worldwide, non-exclusive, royalty-free, irrevocable patent licence covering patents necessarily infringed by your contribution.
It does not transfer copyright. You retain the copyright on your own contribution and may use it for any other purpose. The CLA exists so that Craton Inc. can offer the Enterprise dual-licence model — without it, relicensing your contribution into BSL-1.1 Enterprise code would require per-contributor sign-off at each release.
By signing the CLA you represent that:
- You are legally entitled to grant the licence (including employer permission if applicable).
- Each contribution is your original work.
- Your contribution discloses any third-party licence or restriction you are aware of.
The full CLA text is in craton-hsm-core/CLA.md.
Third-Party License Inventory
Craton HSM depends on many open-source libraries, most of which are
Apache-2.0 or MIT (or dual-licensed). A per-dependency inventory is
maintained at
craton-hsm-enterprise/THIRD_PARTY_LICENSES.md,
covering cryptographic libraries (aws-lc-rs, openssl, cryptoki,
rsa, p256, p384, SHA and HMAC crates, zeroize), infrastructure
crates (serde, thiserror, tokio, tonic), and the KMIP / auth /
cluster dependency stack.
For the Core workspace, the equivalent inventory is generated on demand
from the Cargo.lock via cargo about generate as part of the release
pipeline; it is attached to each GitHub Release as a license report and
is also available in the SPDX and CycloneDX SBOMs shipped with
Enterprise releases.
deny.toml in each repository drives cargo-deny in CI: it enforces an
allowlist of acceptable licenses (Apache-2.0, MIT, BSD-2-Clause,
BSD-3-Clause, ISC, Unicode-DFS-2016, MPL-2.0 with a carve-out) and
rejects GPL-family licences outright.
Related Pages
- ../enterprise/licensing — additional Enterprise-side licensing guidance and commercial-license contact details.
- ../fips/certification-plan — how FIPS 140-3 submission interacts with the BSL Additional Use Grant.
- governance — trademark policy for the "Craton" and "Craton HSM" names.
- contributing — developer workflow and CLA mechanics.
Contact
- Commercial licensing, BSL exceptions, trademark:
licensing@craton.io. - Support contracts:
support@craton.io. - General questions about OSS usage of Core: the public issue tracker on
craton-co/craton-hsm-core.