Skip to main content

Crate hardware_enclave

Crate hardware_enclave 

Source
Expand description

Hardware-backed key management and in-process memory protection.

This crate provides two independently usable capability sets:

§Memory protection (features = ["memory"])

Available with default-features = false, features = ["memory"] — no platform HSM, no TPM, no Secure Enclave, no key storage. Only depends on aes-gcm, rand, zeroize, sha2, libc, and subtle.

  • SecureBuffer — guard-paged, mlock’d buffer; memory never swaps to disk
  • LockedBuffer — Arc-wrapped secret with global zeroize-on-shutdown registry
  • MemoryEnclave — AES-256-GCM sealed in-memory secret with hot-cache tier
  • TieredPool / pool_acquire — pool of locked memory slots for key material
  • harden_process — disable core dumps, restrict ptrace, set no-new-privs
use hardware_enclave::{harden_process, SecureBuffer, MemoryEnclave, init_pool};

harden_process();
init_pool(hardware_enclave::TieredPoolConfig::default())?;
let buf = SecureBuffer::new(32)?; // 32 bytes, guard-paged
let enc = MemoryEnclave::seal(b"secret key material")?;

§Hardware key management (features = ["signing", "encryption"])

ECDSA P-256 signing and ECIES P-256 encryption backed by the platform HSM (macOS Secure Enclave, Windows TPM 2.0, Linux TPM 2.0 / keyring). Keys never leave the hardware. User-presence enforcement (Touch ID, Windows Hello) built in.

// Requires `features = ["signing"]` (included in the default feature set).
use hardware_enclave::{EnclaveConfig, create_signer, AccessPolicy};

let config = EnclaveConfig::new("myapp", "default");
let signer = create_signer(&config)?;
let pubkey = signer.generate_key("default", AccessPolicy::Any)?;
let sig = signer.sign("default", b"hello world")?;

§Memory pool initialization

The global memory pool is lazily initialized on first use. For reliable startup-time error reporting, call init_pool() explicitly before using any MemoryEnclave or pool_acquire() operations.

Re-exports§

pub use error::Error;
pub use error::Result;
pub use hardening::harden_process;
pub use memory::coffer_view;
pub use memory::init_pool;
pub use memory::pool_acquire;
pub use memory::pool_release;
pub use memory::zeroize_all_registered_at_shutdown;
pub use memory::LockedBuffer;
pub use memory::MemoryEnclave;
pub use memory::PoolSlot;
pub use memory::SecureBuffer;
pub use memory::TieredPool;
pub use memory::TieredPoolConfig;
pub use auth::platform_auth_capabilities;
pub use auth::AuthCapabilities;
pub use auth::AuthHandle;
pub use capabilities::has_keychain_entitlement;
pub use capabilities::is_binary_signed;
pub use capabilities::security_capabilities;
pub use capabilities::SecurityCapabilities;
pub use config::EnclaveConfig;
pub use config::LinuxConfig;
pub use config::MacOsConfig;
pub use config::PlatformConfig;
pub use config::WindowsConfig;
pub use config::WindowsSoftwareFallback;
pub use credential::classify_credential;
pub use credential::CredentialState;
pub use credential::LifecyclePolicy;
pub use encryption::EncryptorHandle;
pub use exec::IntegrationType;
pub use exec::SecureProcess;
pub use exec::TempSecretFile;
pub use factory::create_auth;
pub use factory::create_encryptor;
pub use factory::create_security_key;
pub use factory::create_signer;
pub use factory::create_tamper_evident;
pub use factory::create_tamper_evident_ephemeral;
pub use integrity::IntegrityMode;
pub use integrity::TamperEvidentHandle;
pub use integrity::VerifyOutcome;
pub use security_key::SecurityKeyHandle;
pub use security_key::SecurityKeyInfo;
pub use security_key::SecurityKeySignature;
pub use signing::SignerHandle;
pub use types::AccessPolicy;
pub use types::BackendKind;
pub use types::KeyInfo;
pub use types::KeyType;
pub use types::PresenceMode;
pub use types::PresenceOptions;

Modules§

auth
bridge_server
JSON-RPC TPM bridge server for WSL2→Windows TPM routing.
capabilities
config
credential
diagnostics
Platform diagnostics for troubleshooting hardware key management failures.
encryption
error
exec
factory
fs
Filesystem helpers for atomic writes and permission management.
hardening
Process hardening — available in all build configurations including memory-only.
integrity
memory
Page-guarded, mlock’d memory buffers for secret material.
process
Process hardening, trusted binary discovery, and timeout utilities.
security_key
Hardware security key (FIDO2/WebAuthn) credentials via the Windows Hello platform authenticator.
shell
Shell config block injection and path/value quoting.
signing
types
wsl
WSL environment detection and shell integration for Windows-hosted apps.

Structs§

Zeroizing
Zeroizing is a a wrapper for any Z: Zeroize type which implements a Drop handler which zeroizes dropped values.