Cryptography-as-a-Service Platform
Production-grade encryption, scanning, and key management. Post-quantum ready.
CLI and SDK — pip install cryptoserve gives you a standalone toolchain for cryptographic scanning (90+ patterns), CBOM generation (CycloneDX, SPDX), dependency analysis, offline encryption/decryption, password hashing, certificate management, and CI/CD policy gates. No server required. Supports post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA).
Platform — the self-hosted server adds centralized key management with automatic rotation and HSM/KMS backends, a 5-layer context model for automatic algorithm selection, a declarative policy engine, multi-tenant isolation, audit logging with SIEM integration, FIPS 140-2/3 compliance modes, and a dashboard for security posture and quantum readiness.
pip install cryptoservecryptoserve scan . # 90+ cryptographic patterns
cryptoserve cbom --format cyclonedx --output cbom.json # Generate CBOM
cryptoserve pqc # PQC readiness assessmentcryptoserve encrypt "secret message" --password mypassword
cryptoserve decrypt "<output>" --password mypassword
cryptoserve hash-password "mypassword" # scrypt hashAll CLI commands work offline. No server required. See the full CLI reference for all flags and examples.
| Command | Description |
|---|---|
scan |
Scan for 90+ cryptographic patterns, SARIF output |
deps |
Dependency crypto analysis |
cbom |
Generate CBOM (CycloneDX, SPDX) |
pqc |
Post-quantum readiness assessment |
gate |
CI/CD policy enforcement (--policy strict, --staged) |
push |
Upload CBOM to dashboard |
encrypt / decrypt |
Password-based encryption (strings and files) |
hash-password |
scrypt / PBKDF2 password hashing |
token |
Generate JWT tokens |
certs |
CSR generation, self-signed certs, certificate parsing |
The SDK connects to a running CryptoServe server for managed keys and context-aware algorithm selection.
from cryptoserve import CryptoServe
crypto = CryptoServe(app_name="my-app", team="platform")
# Encrypt / Decrypt
ciphertext = crypto.encrypt(b"data", context="user-pii")
plaintext = crypto.decrypt(ciphertext, context="user-pii")
# Sign / Verify
signature = crypto.sign(b"document", key_id="signing-key")
valid = crypto.verify_signature(b"document", signature, key_id="signing-key")
# Hash
digest = crypto.hash(b"data", algorithm="sha3-256")Runtime usage hints let the platform select optimal algorithms per use case:
crypto.encrypt(data, context="customer-pii", usage="at_rest") # AES-256-GCM
crypto.encrypt(data, context="customer-pii", usage="streaming") # ChaCha20-Poly1305See the Python SDK docs for the full API.
The self-hosted server extends the CLI with centralized management, policy enforcement, and compliance features.
| Feature | Description |
|---|---|
| Key Management | Automatic rotation, versioning, HKDF derivation, Shamir secret sharing, HSM/KMS backends |
| Context Model | 5-layer algorithm selection based on sensitivity, compliance, threats, access patterns, and technical constraints |
| Policy Engine | Declarative rules, CI/CD gate checks, compliance enforcement |
| Multi-Tenancy | Per-tenant isolation with separate keys and policies |
| Audit & Compliance | Operation logging, SIEM integration, FIPS 140-2/3 modes |
| Dashboard | Security posture overview, quantum readiness, migration advisor |
| Identity & RBAC | OAuth (GitHub/Google/Azure/Okta), role-based access, SDK token management |
| Algorithms | AES-256-GCM, ChaCha20-Poly1305, AES-XTS, ECIES, RSA-OAEP, Ed25519, ECDSA, RSA-PSS, ML-DSA, SHA-2/3, BLAKE2b/3, Argon2id, bcrypt, ML-KEM-768/1024, ML-DSA-44/65/87, SLH-DSA |
docker run -d -p 8003:8003 -p 3000:3000 -v cryptoserve-data:/data ghcr.io/ecolibria/crypto-serveAPI: http://localhost:8003 | Dashboard: http://localhost:3000
Uses SQLite and dev mode for zero-config startup. Mount /data to persist the database across restarts. For production deployments with PostgreSQL, use the multi-container setup below.
curl -fsSL https://raw.githubusercontent.com/ecolibria/crypto-serve/main/scripts/quickstart.sh | shThis downloads the compose file, generates random secrets, pulls pre-built images from GHCR, and starts the stack (PostgreSQL + backend + frontend). No clone required.
API: http://localhost:8003 | Dashboard: http://localhost:3003
Configuration is in cryptoserve/.env. Edit it to add GitHub OAuth, switch to production mode, or change ports.
git clone https://github.com/ecolibria/crypto-serve.git
cd crypto-serve
cp .env.example .env
docker compose up -dThe default .env runs in dev mode (DEV_MODE=true), which bypasses GitHub OAuth for local development. See the production deployment guide for hardened configuration.
| Resource | Description |
|---|---|
| Getting Started | Installation and quickstart |
| CLI Reference | All CLI commands, flags, and examples |
| Python SDK | SDK reference and examples |
| API Reference | REST API documentation |
| Architecture | Context model, policy engine, key management |
| Post-Quantum | ML-KEM, ML-DSA, SLH-DSA, hybrid key exchange |
| Security | FIPS compliance, threat model, technical reference |
| Guides | Encryption, key rotation, compliance, PQC migration |
Report vulnerabilities to info@cryptoserve.dev or via GitHub Security Advisories.
See SECURITY.md and Technical Reference.
See CONTRIBUTING.md for guidelines.
Apache License 2.0. See LICENSE.