Build Applications That Trust Data-in-Motion Across Cloud Services, Beyond Data Centers, Through Gateways.
Ockam has a simple developer experience and powerful primitives that orchestrate end-to-end encryption, key management, authorization policy enforcement, and mutual authentication between distributed applications - at massive scale.
Join our Open Source community, start a discussion, or file an issue - or just say Hello.GitHub Discussions
Let’s build an application, together, in this step-by-step guide to Ockam.User Guide
Sign up for Ockam Orchestrator and Build Trust across all of your applications and services.AWS Marketplace
Install Ockam using Homebrew, Docker, Terraform, or Rust’s Cargo.
Set Up an Ockam Project
Enroll with Ockam Orchestrator, and generate identity keys.
Move Data with Trust
Build a demo that creates an end-to-end encrypted, mutually authenticated communication between two local applications - via a round trip through the cloud.
Build Complex Infrastructure
A lot happened in this demo. We started two applications; echo_service and an echo_client. Each is local but, imagine that these applications were in two separated private networks. Each application then generated a unique cryptographic identity and a Vault to protect it.
The echo_service used Ockam Orchestrator to register an address with an Ockam Relay. A Relay can transparently forward messages to the to echo_service - even if its running behind a NAT without an exposed port.
The echo_service started a Secure Channel Listener and waited for an authenticated channel to be established.
Next, the echo_client used Ockam Orchestrator to create a mutually authenticated, end-to-end encrypted, bi-directional, Secure Channel to the echo_service.
Now that the applications have built Trust, echo_client can send a "Hello Ockam" message, and echo_service can echo "Hello Ockam" back.
Features of Ockam
Managing data in motion is really, really hard. We’ve thought of the details and have reduced the vulnerability surface of your data to something manageable.
Stripe did it for payment rails.
Twilio did it for telecom.
Ockam abstracts away complex infrastructure and cryptography orchestration to empower millions of developers.
Ockam is built for enterprise scale.
Add-ons are ready-made connectors to your hosted authentication, database, and message broker services.
Ockam’s protocols become ever more secure through transparency, community feedback, and scrutany.
Add-ons can be built by anyone to create new hardware key vaults or cloud service connectors.
Ockam messaging is *actually* end-to-end encrypted, so it can trustfully move data across networks that should not be trusted.
Transports are agnostic and pluggable so Ockam’s protocols can work across any network topology.
Private keys are created inside of all of your applications. They never leave the hardware environment.
Orchestration, revocation, and rotation of keys are built in, so you have one less thing to worry about.
BYO Auth Engine
Ockam Add-ons empower you to use your existing authentication, attribute-based (ABAC) authorization tools.
Bring your own Okta, Auth0, OAuth, AWS, Azure, Google or Web3 IAM tools. Ockam has an Add-on for that!
How is Ockam Used?
Ockam can, and should, be used between every application, everywhere.
Orchestrate at Scale
Modern applications are made up of an unmanageable number of ephemeral microservices. They are distributed, multi-cloud, and rely upon dozens of cloud marketplace services. With so many endpoints that need to interoperate, it’s become impossible to manage.
Ockam’s key generation and handshake protocols allow for dynamic, massive-scale orchestrations across complex network topologies.
Get Out of the Middle
You are building an app that moves data from over-there to over-there. Perhaps it’s a message service like Kafka or RabbitMQ?
You don’t want to be liable for data that moves through your service; Particularly if its HIPAA or PCI protected data!
Ockam’s end-to-end encryption originates at the data-source and terminates at the data-target , so your app-in-the-middle can not decipher data-in-motion.
Trust Anything, Anywhere
If you access data in a VPC, you are exposing your applications to threats by exposing your VPC to the internet.
Ockam’s inlets and outlets create topologies that eliminate threats from the internet for applications in VPCs. Effectively, your data can move from from VPC to VPC without exposing either application to the internet. Virtually, the applications are running next to each other in the same environment.
The Ockam Products
Ockam Open Source contains all of the cryptographic protocols, packages, and developer tools that a builder - of any skill or expereince level - would require to move data between their applications with Trust. Ockam is commited to supporting the Open Source community through contributions to discussions and collective learning.
Ockam Orchestrator is a cloud-based, fully-managed service that enables companies to connect their distributed applications with ease. Orchestrator was built for enterprised that build big things. It can move massive amounts of data through dynamic and complicated architectures. If you are starting a new work project, you can be assured that Orchestrator will meet your needs as you move into production and then scale.
The Ockam Orchestrator was built for the Zero-Trust enterprise. Orchestrator Add-ons connect to Key Management, ABAC policy engines, Data Stores, and Messaging infrastructure; such as Confluent Cloud, InfluxData, Okta, Auth0, and KMS.
The Tools for Builders
- Manually-configurable Scale
- Cryptographic Protocols
- Ready-to-use Packages
- Community Supported
- Apache 2 License
The Service for Enterprises
- Automation-required Scale
- Company-wide Access Controls
- Message guarantees
- Add-on connectors
- AWS Marketplace