This is a personal project, for the purpose of learning and also build a software based KSM with old and new crypto schemes; such as HD derivation or post-quantum FALCON signatures. It is not intended for production use, use at your own risk.
A secure, modern alternative to SoftHSM with HD wallet support, written in Rust.
Use Cases: Enterprise key management, HD wallet infrastructure, PKCS#11 HSM replacement, development/testing environments.
| Feature | SoftHSM | softKMS |
|---|---|---|
| Language | C | Rust (memory-safe) |
| HD Wallets | β | β BIP32/44 |
| Crypto | Fixed (RSA/ECC) | Pluggable (Ed25519, P-256, Falcon-512, Falcon-1024) |
| APIs | PKCS#11 only | PKCS#11 + gRPC + CLI |
| Deployment | Manual | Docker + systemd |
| Identity | Single user | Multi-identity with isolation |
- libclang-dev
git submodule update --init --recursive# Build
cargo build --release
# Start daemon
./target/release/softkms-daemon --foreground &
# Initialize with passphrase (admin)
./target/release/softkms init
# Create a client identity (for services/agents)
./target/release/softkms identity create --type ai-agent
# Token: <SAVE THIS!>
# Use token to generate keys (isolated to this identity)
./target/release/softkms --token <token> generate --algorithm ed25519 --label mykey
# Sign data
./target/release/softkms --token <token> sign --label mykey --data "Hello World"softKMS uses ECC public keys for identity and provides isolated access between clients:
- Admin (passphrase): Full access to all keys
- Clients (token): Access only to keys they create
- Isolation: Each identity's keys are namespace-isolated
# Create Ed25519 identity (default, fast)
$ softkms identity create --type ai-agent --description "Trading Bot"
Public Key: ed25519:MCowBQYDK2VwAyE...
Token: <SAVE THIS - never shown again!>
# Create P-256 identity (for PKCS#11 compatibility)
$ softkms identity create --type service --key-type p256
Public Key: p256:BL5a5tD5x0vM...
Token: <SAVE THIS># Set token environment variable
export SOFTKMS_TOKEN="..."
# Or pass directly
softkms --token <token> list
# PKCS#11 (use token as PIN)
pkcs11-tool --module libsoftkms.so --login --pin "<token>" --list-keysSee Identity Management for complete documentation.
- π Secure Key Storage - AES-256-GCM encrypted at rest with PBKDF2 key derivation
- π₯ Identity Isolation - Multi-tenant with ECC-based identities (Ed25519 default, P-256 optional)
- ποΈ Bearer Tokens - Simple token-based auth with ownership isolation
- π³ HD Wallet Support - BIP32/BIP44 hierarchical deterministic keys (Ed25519)
- π― Deterministic Derivation - P-256 for WebAuthn, Ed25519 BIP32/BIP44
- π₯ xPub Import - Import BIP32 extended public keys for watch-only wallets
- π Key Portability - Re-wrap keys for SSH/GPG use, never expose plaintext
- π‘οΈ Post-Quantum Crypto - Falcon-512 and Falcon-1024 signatures (NIST PQC standard)
- π Audit Logging - Complete operation trail with identity context
- π Multiple APIs - PKCS#11, gRPC, REST, and CLI interfaces
- π Modern Architecture - Async Rust with pluggable storage backends
- π³ Container-Ready - Docker and Kubernetes support
- π Memory Safe - Zeroization of sensitive data, secure memory handling
flowchart TB
subgraph "Client Environment"
CLI[CLI Client]
PKCS[PKCS#11 Module]
APP[Applications]
end
subgraph "Daemon Process"
API[API Layer<br/>gRPC & REST]
AUTH[Auth & Identity]
KEYS[Key Service &<br/>Crypto Engines]
SEC[Security Manager]
end
subgraph "Persistent Storage"
STORE[Encrypted File Storage]
end
CLI --> API
PKCS --> API
APP --> API
API --> AUTH
AUTH --> KEYS
KEYS --> SEC
SEC --> STORE
style Client Environment fill:#ffcccc
style Daemon Process fill:#ccffcc
style Persistent Storage fill:#ffffcc
Key Security Features:
- Process Isolation: Keys never leave the daemon process
- Client Isolation: CLI/PKCS#11 only send requests, receive signatures
- Encrypted at Rest: AES-256-GCM with PBKDF2 key derivation
| Component | Location | Key Files | Description |
|---|---|---|---|
| CLI Client | cli/src/ |
main.rs |
Command-line interface |
| gRPC API | src/api/ |
grpc.rs, auth.rs, interceptor.rs |
gRPC server & auth |
| REST API | src/api/ |
rest.rs |
HTTP REST endpoints |
| Identity | src/identity/ |
mod.rs, types.rs, storage.rs, validation.rs |
Token-based auth |
| Key Service | src/ |
key_service.rs |
Main key operations |
| Security | src/security/ |
mod.rs, master_key.rs, wrapper.rs |
Encryption, key wrapping |
| Crypto | src/crypto/ |
ed25519.rs, p256.rs, hd_ed25519.rs |
Signing algorithms |
| Falcon PQC | src/crypto/falcon/ |
mod.rs, bindings.rs |
Post-quantum signatures |
| PKCS#11 | src/pkcs11/ |
mod.rs, session.rs, rest_client.rs |
PKCS#11 provider |
| Storage | src/storage/ |
mod.rs, file.rs, encrypted.rs |
File-based storage |
| Audit | src/audit/ |
mod.rs |
Audit logging |
| HD Wallet | src/crypto/ |
hd_ed25519.rs, p256.rs |
BIP32/BIP44 derivation |
git clone https://github.com/your-org/softkms.git
cd softkms
cargo build --release
# Install binaries
sudo cp target/release/softkms-daemon /usr/local/bin/
sudo cp target/release/softkms /usr/local/bin/docker build -t softkms -f docker/Dockerfile .
docker run -p 50051:50051 softkms- Usage Guide - Complete CLI, PKCS#11, and HD wallet usage
- Identity Management - Multi-identity authentication and access control
- Architecture - System design and components
- Security Model - Security features and threat model
- API Reference - gRPC API documentation
# Initialize daemon (admin)
softkms init
# Generate keys as admin
softkms generate --algorithm ed25519 --label mykey
# Create client identity
softkms identity create --type ai-agent
# Import HD wallet seed
softkms --token <token> import-seed --mnemonic "word1 word2 ..." --label wallet
# Derive child keys
softkms --token <token> derive --algorithm ed25519 --seed wallet --path "m/44'/283'/0'/0/0" --label derived-key
# Sign and verify
softkms --token <token> sign --label mykey --data "message"
softkms --token <token> verify --label mykey --data "message" --signature "..."
# Export key to SSH format (re-wrapped with passphrase)
softkms export-ssh --label mykey --output ~/.ssh/id_ed25519
# Export key to GPG format
softkms export-gpg --label mykey --user-id "User <user@example.com>"
# PKCS#11 usage
pkcs11-tool --module libsoftkms.so --list-slots
pkcs11-tool --module libsoftkms.so --login --pin "<token>" --keypairgen --key-type EC:prime256v1# Run tests
cargo test
# Run specific test
cargo test --test pkcs11_e2e_tests
# Build release
./build.shVersion: v0.1 - Functional with Tests
Implemented:
- β Daemon with gRPC and REST APIs
- β Ed25519 and P-256 crypto engines
- β Falcon-512 and Falcon-1024 post-quantum signatures
- β HD wallet derivation (BIP32/44)
- β PKCS#11 compatibility layer
- β Encrypted file storage
- β CLI client
- β Multi-identity with token-based auth
- β Key ownership isolation
In Progress:
- π§ REST API (skeleton)
- π§ WebAuthn module (skeleton)
Future:
- TPM2 hardware integration
- HashiCorp Vault backend
- Prometheus metrics
- Custom policies per identity
softKMS uses industry-standard security practices:
- AES-256-GCM for key encryption at rest
- PBKDF2 with 210k iterations for master key derivation
- Ed25519 and P-256 for cryptographic operations
- Identity Isolation - Each client sees only their own keys
- Secure memory handling with automatic zeroization
- Key portability - Re-wrap keys for SSH/GPG use, never expose plaintext
- Audit logging - All operations logged with identity context
See SECURITY.md for details.
AGPLv3 License - See LICENSE file
Contributions welcome! Please read our Contributing Guide (TODO).
- π Documentation
- π Issue Tracker
- π¬ Discussions
Note: softKMS is currently in active development. APIs may change until v1.0.