Skip to main content

NaCl + PKCS#11 crypto provider for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_crypto_nacl_pkcs11 Discord

Swarmauri Crypto NaCl PKCS#11

swarmauri_crypto_nacl_pkcs11 is a hybrid crypto provider that combines PyNaCl for X25519 sealed-box operations with python-pkcs11 for AES key wrapping. The provider implements the CryptoBase contract and is discoverable via the swarmauri.cryptos entry-point as NaClPkcs11Crypto.

Supported operations

  • AES-GCM authenticated encryption via encrypt/decrypt using symmetric KeyRef material that is exactly 16, 24, or 32 bytes long.
  • AES Key Wrap (AES-KW) via wrap/unwrap against an HSM-protected key. The PKCS#11 session is resolved from the KeyRef.tags (module, slot_label, user_pin, label) or the environment variables PKCS11_MODULE, PKCS11_SLOT_LABEL, PKCS11_USER_PIN, and PKCS11_KEK_LABEL.
  • X25519 sealed boxes via seal/unseal and encrypt_for_many, enabling single or multi-recipient payload distribution. When additional authenticated data (AAD) is supplied the envelope is rebound with AES-GCM before delivery.

Installation

Choose the workflow that matches your project:

pip install swarmauri_crypto_nacl_pkcs11
poetry add swarmauri_crypto_nacl_pkcs11
uv add swarmauri_crypto_nacl_pkcs11

Usage

All cryptographic methods are asynchronous. The quick-start example below performs an AES-GCM round trip using a 256-bit symmetric key.

import asyncio

from swarmauri_crypto_nacl_pkcs11 import NaClPkcs11Crypto
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse


async def main() -> None:
    crypto = NaClPkcs11Crypto()

    symmetric_key = KeyRef(
        kid="sym1",
        version=1,
        type=KeyType.SYMMETRIC,
        uses=(KeyUse.ENCRYPT, KeyUse.DECRYPT),
        export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
        material=b"\x00" * 32,
    )

    ciphertext = await crypto.encrypt(symmetric_key, b"hello")
    plaintext = await crypto.decrypt(symmetric_key, ciphertext)
    assert plaintext == b"hello"


asyncio.run(main())

Sealed box key exchange

seal and encrypt_for_many expect X25519 KeyRef instances. Provide the public key bytes via KeyRef.public for recipients and the private key bytes via KeyRef.material for unsealing. Each recipient receives an opaque sealed payload generated with nacl.public.SealedBox.

PKCS#11-backed key wrapping

wrap and unwrap require a key-encryption-key (KEK) stored in the configured PKCS#11 slot. Supply connection details through KeyRef.tags or environment variables as described above. The wrapped material is returned as a WrappedKey using the AES-KW algorithm.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_crypto_nacl_pkcs11-0.11.0.dev1.tar.gz (9.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_crypto_nacl_pkcs11-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_crypto_nacl_pkcs11-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 9.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_crypto_nacl_pkcs11-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 4ab9466252e82fb5aeb6f569c27ee113e38bd913488c1d4bd202aafcc49d34ed
MD5 2ac80bd0ab8dd7ed465e203463207ce9
BLAKE2b-256 58c124fdfeeeeb22dacafe2f12983ef3fe215ba00d437fb64e0c5e7df1cbac1b

See more details on using hashes here.

File details

Details for the file swarmauri_crypto_nacl_pkcs11-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_crypto_nacl_pkcs11-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 10.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_crypto_nacl_pkcs11-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 438a94953efa7492a8e9ddbb5b1d9a51a3a9079e2822c6ebecedd918a2d929a1
MD5 50e03e8a249f553a26b12b5a8b7287c7
BLAKE2b-256 9f83b0eb3339703f283ff23c4f73232ff27e87b94c6fac2fb552071ab3e750f3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page