Skip to main content

hardware_enclave/
lib.rs

1// Copyright 2026 Jay Gowdy
2// SPDX-License-Identifier: MIT
3
4//! Hardware-backed key management and in-process memory protection.
5//!
6//! The `enclave` crate provides two distinct capabilities:
7//!
8//! **Hardware key management** — ECDSA P-256 signing and ECIES P-256 encryption
9//! backed by the platform hardware security module (macOS Secure Enclave,
10//! Windows TPM 2.0, Linux TPM 2.0 / keyring). Keys never leave the hardware.
11//! User-presence enforcement (Touch ID, Windows Hello) is built in.
12//!
13//! **In-process memory protection** — guard-paged, mlock'd buffers
14//! ([`SecureBuffer`]), Arc-wrapped thread-safe secret storage ([`LockedBuffer`]),
15//! AES-256-GCM in-memory sealed secrets ([`MemoryEnclave`]), and a tiered pool
16//! of locked memory slots ([`pool_acquire`]). Ported from
17//! [asherah-ffi](https://github.com/godaddy/asherah-ffi), these components
18//! defend against heap-scraping attacks on long-lived processes.
19//!
20//! Both capabilities compose: decrypted key material returned from the HSM layer
21//! can be placed directly into a [`SecureBuffer`] or [`MemoryEnclave`].
22//!
23//! # Quick start
24//!
25//! ```no_run
26//! use hardware_enclave::{EnclaveConfig, create_signer, AccessPolicy};
27//!
28//! let config = EnclaveConfig::new("myapp", "default");
29//! let signer = create_signer(&config)?;
30//! let pubkey = signer.generate_key("default", AccessPolicy::Any)?;
31//! let sig = signer.sign("default", b"hello world")?;
32//! # Ok::<(), hardware_enclave::Error>(())
33//! ```
34//!
35//! # Memory pool initialization
36//! The global memory pool is lazily initialized on first use. For reliable startup-time
37//! error reporting, call [`init_pool()`] explicitly before using any [`MemoryEnclave`] or
38//! [`pool_acquire()`] operations.
39
40pub(crate) mod internal;
41
42pub mod auth;
43pub mod capabilities;
44pub mod config;
45pub mod credential;
46pub mod encryption;
47pub mod error;
48pub mod exec;
49pub mod factory;
50pub mod fs;
51pub mod integrity;
52pub mod memory;
53pub mod process;
54pub mod security_key;
55pub mod shell;
56pub mod signing;
57pub mod types;
58pub mod wsl;
59
60// Top-level re-exports for ergonomic use.
61pub use auth::{platform_auth_capabilities, AuthCapabilities, AuthHandle};
62pub use capabilities::{
63    has_keychain_entitlement, is_binary_signed, security_capabilities, SecurityCapabilities,
64};
65pub use config::{
66    EnclaveConfig, LinuxConfig, MacOsConfig, PlatformConfig, WindowsConfig, WindowsSoftwareFallback,
67};
68pub use credential::{classify_credential, CredentialState, LifecyclePolicy};
69pub use encryption::EncryptorHandle;
70pub use error::{Error, Result};
71pub use exec::{IntegrationType, SecureProcess, TempSecretFile};
72pub use factory::{
73    create_auth, create_encryptor, create_security_key, create_signer, create_tamper_evident,
74    create_tamper_evident_ephemeral,
75};
76pub use integrity::{IntegrityMode, TamperEvidentHandle, VerifyOutcome};
77pub use memory::{
78    coffer_view, init_pool, pool_acquire, pool_release, zeroize_all_registered_at_shutdown,
79    LockedBuffer, MemoryEnclave, PoolSlot, SecureBuffer, TieredPool, TieredPoolConfig,
80};
81pub use security_key::{SecurityKeyHandle, SecurityKeyInfo, SecurityKeySignature};
82pub use signing::SignerHandle;
83pub use types::{AccessPolicy, BackendKind, KeyInfo, KeyType, PresenceMode, PresenceOptions};
84pub use zeroize::Zeroizing;