Crate hardware_enclave 

Hardware-backed key management and in-process memory protection.

The enclave crate provides two distinct capabilities:

Hardware key management — ECDSA P-256 signing and ECIES P-256 encryption backed by the platform hardware security module (macOS Secure Enclave, Windows TPM 2.0, Linux TPM 2.0 / keyring). Keys never leave the hardware. User-presence enforcement (Touch ID, Windows Hello) is built in.

In-process memory protection — guard-paged, mlock’d buffers (SecureBuffer), Arc-wrapped thread-safe secret storage (LockedBuffer), AES-256-GCM in-memory sealed secrets (MemoryEnclave), and a tiered pool of locked memory slots (pool_acquire). Ported from asherah-ffi, these components defend against heap-scraping attacks on long-lived processes.

Both capabilities compose: decrypted key material returned from the HSM layer can be placed directly into a SecureBuffer or MemoryEnclave.

Quick start

use hardware_enclave::{EnclaveConfig, create_signer, AccessPolicy};

let config = EnclaveConfig::new("myapp", "default");
let signer = create_signer(&config)?;
let pubkey = signer.generate_key("default", AccessPolicy::Any)?;
let sig = signer.sign("default", b"hello world")?;

Memory pool initialization

The global memory pool is lazily initialized on first use. For reliable startup-time error reporting, call init_pool() explicitly before using any MemoryEnclave or pool_acquire() operations.

Re-exports

pub use auth::platform_auth_capabilities;

pub use auth::AuthCapabilities;

pub use auth::AuthHandle;

pub use capabilities::has_keychain_entitlement;

pub use capabilities::is_binary_signed;

pub use capabilities::security_capabilities;

pub use capabilities::SecurityCapabilities;

pub use config::EnclaveConfig;

pub use config::LinuxConfig;

pub use config::MacOsConfig;

pub use config::PlatformConfig;

pub use config::WindowsConfig;

pub use config::WindowsSoftwareFallback;

pub use credential::classify_credential;

pub use credential::CredentialState;

pub use credential::LifecyclePolicy;

pub use encryption::EncryptorHandle;

pub use error::Error;

pub use error::Result;

pub use exec::IntegrationType;

pub use exec::SecureProcess;

pub use exec::TempSecretFile;

pub use factory::create_auth;

pub use factory::create_encryptor;

pub use factory::create_security_key;

pub use factory::create_signer;

pub use factory::create_tamper_evident;

pub use factory::create_tamper_evident_ephemeral;

pub use integrity::IntegrityMode;

pub use integrity::TamperEvidentHandle;

pub use integrity::VerifyOutcome;

pub use memory::coffer_view;

pub use memory::init_pool;

pub use memory::pool_acquire;

pub use memory::pool_release;

pub use memory::zeroize_all_registered_at_shutdown;

pub use memory::LockedBuffer;

pub use memory::MemoryEnclave;

pub use memory::PoolSlot;

pub use memory::SecureBuffer;

pub use memory::TieredPool;

pub use memory::TieredPoolConfig;

pub use security_key::SecurityKeyHandle;

pub use security_key::SecurityKeyInfo;

pub use security_key::SecurityKeySignature;

pub use signing::SignerHandle;

pub use types::AccessPolicy;

pub use types::BackendKind;

pub use types::KeyInfo;

pub use types::KeyType;

pub use types::PresenceMode;

pub use types::PresenceOptions;

Modules

auth

capabilities

config

credential

encryption

error

exec

factory

fs

Filesystem helpers for atomic writes and permission management.

integrity

memory

Page-guarded, mlock’d memory buffers for secret material.

process

Process hardening, trusted binary discovery, and timeout utilities.

security_key

Hardware security key (FIDO2/WebAuthn) credentials via the Windows Hello platform authenticator.

shell

Shell config block injection and path/value quoting.

signing

types

wsl

WSL environment detection and shell integration for Windows-hosted apps.

Structs

Zeroizing

Zeroizing is a a wrapper for any Z: Zeroize type which implements a Drop handler which zeroizes dropped values.