Hardware-backed signing, encryption, and in-process memory protection for Rust.
Supports macOS (Secure Enclave), Windows (TPM 2.0), Linux (TPM 2.0 / keyring), and WSL2. Private keys never leave the hardware. Touch ID and Windows Hello are built in.
The enclave crate is the public API — hardware key management,
FIDO2 security keys, tamper-evident files, and guard-paged memory protection.
→ crates/enclave/README.md — start here
[dependencies]
enclave = "0.1"If you are building an application that wraps a third-party tool and injects hardware-backed secrets into it, see the delivery tier guide:
→ crates/enclave/DELIVERY_TIERS.md
Covers: SSH agent protocol, environment variable injection, temp file delivery, and credential source patterns — with guidance on when to use each.
See crates/enclave/THREAT_MODEL.md for the full threat model, limitations, and residual risks.
Report vulnerabilities to security@godaddy.com or HackerOne.
The enclave crate is the public interface. The enclaveapp-* crates are
internal platform implementations.
| Crate | Role |
|---|---|
| enclave | Public API — the crate consumers import |
| enclaveapp-app-storage | Platform-detected signing / encryption |
| enclaveapp-app-adapter | Secret delivery substrate |
| enclaveapp-apple | macOS Secure Enclave (CryptoKit Swift bridge) |
| enclaveapp-windows | Windows TPM 2.0 (CNG) |
| enclaveapp-linux-tpm | Linux TPM 2.0 (tss-esapi) |
| enclaveapp-keyring | Linux keyring-encrypted P-256 keys |
| enclaveapp-bridge | JSON-RPC bridge protocol + WSL client |
| enclaveapp-tpm-bridge | Shared TPM bridge server |
| enclaveapp-wsl | WSL detection, distro config |
| enclaveapp-core | Traits, types, metadata, utilities |
| enclaveapp-cache | Shared binary cache format |
Requires Rust 1.75+. macOS builds require Xcode (Swift bridge compilation).
cargo build --workspace
cargo test --workspaceMIT — Copyright 2026 Jay Gowdy