Modern problems require modern solutions.
SoftHSMv2, the de facto open-source software HSM, is written in C++. Buffer overflows in attribute parsing, use-after-free in session lifecycle, double-free in error paths, data races in concurrent access — these are the root cause of real CVEs in cryptographic software.
Craton HSM is a PKCS#11 v3.0-compliant software HSM written entirely in Rust. A drop-in replacement for SoftHSMv2 as a dynamically loadable shared library (.so / .dll / .dylib) with 70+ C ABI exports. 41 cryptographic mechanisms including 9 post-quantum algorithms. 617+ tests across 33 suites including 46 PKCS#11 conformance tests.
v0.9.1 Security Polish: 11 security fixes from comprehensive ethical hacker audit. SP 800-90A HMAC_DRBG with prediction resistance, per-key AES-GCM nonce counters, genuine known-answer tests, all-zero IV early rejection, and 46 new PKCS#11 conformance tests.
FIPS 140-3 Level 1 Ready: 17 power-on self-tests (integrity + 16 KATs), FIPS Approved Mode restrictive policy, pairwise consistency tests on every keygen (§9.6), and algorithm indicator in all audit log entries (IG 2.4.C).
Post-Quantum Cryptography
ML-DSA-44/65/87 (FIPS 204), ML-KEM-512/768/1024 (FIPS 203), SLH-DSA (FIPS 205), and hybrid ML-DSA-65 + ECDSA composite signatures. 41 mechanisms including 9 PQC (SoftHSMv2 has zero).
Memory Safety by Design
Zero unsafe code in cryptographic paths. ZeroizeOnDrop on all key material. Constant-time PIN/HMAC comparison. Key bytes never appear in logs, debug output, or error messages.
Enterprise Deployment
Three deployment modes: in-process shared library (dlopen), gRPC daemon with mutual TLS, or Kubernetes sidecar with distroless container and Helm chart.
The Technical Edge
Why experts choose Craton HSM
FIPS 140-3 POST Self-Tests
17 tests on every C_Initialize: software integrity (HMAC-SHA256 of module binary), 16 known-answer tests (SHA-2/3, HMAC, AES-GCM/CBC/CTR, ECDSA, RSA-2048, ML-DSA-44, ML-KEM-768, DRBG), and continuous RNG health test.
10 Security Invariants
No panic crosses FFI. No key bytes in logs. No export when SENSITIVE=true. Constant-time PIN comparison. ZeroizeOnDrop on all keys. 5-state session FSM. Synchronous audit log. SP 800-90A DRBG. Zero unsafe in crypto.
Performance (Criterion)
Ed25519 sign: 43.79 us. AES-256-GCM 4KB: 3.633 us. RSA-2048 sign: 1.927 ms. ML-DSA-44 sign: 711.9 us. ML-KEM-768 encapsulate: 74.46 us. aws-lc-rs backend: RSA-2048 verify 8.3× faster, ECDSA verify 4.5× faster than RustCrypto.