**KeyMux**
Features
==============================================================
Easily and securely integrate secure key enclaves (hardware security
modules, smart cards, security tokens, secure elements, and
cryptoprocessors; local and network-attached) into your workflow. KeyMux
seamlessly connects where your keys are securely held with the tools you
wish could easily use them.
* Key Stores
- Apple T2 Security Chip
- Hashicorp Vault - with mTLS authentication using other enclaved keys
- PIV Smartcards (coming soon)
- KMIP Servers (coming soon)
* Application Agents & Adapters
- OpenSSH Agent
- PKCS #11 Module
- GnuPG SC-Daemon
When private keys are exposed even momentarily to infrastructure software,
best practice is frequent key rotation. But this is costly, complex, a
common source of automated infrastructure issues, and an ideal target for
achieving persistence. Ultimately, key rotation doesn't address the root of
the problem--any private key visible outside a secure key enclave should be
presumed compromised from the very first moment; even asymmetric (RSA, ECC)
keys effectively become as vulnerable as software-embedded plaintext
passwords. Like FIDO for website authentication, KeyMux can help you deploy
an end-to-end hardware-secured key management and key usage solution for
your network and cloud infrastructure, without the confusion, complexity,
and unsafe compromises which have plagued enterprise key management for
decades. While newer secure enclave solutions such as laptop-integrated
secure elements, Hashicorp Vault, Yubikeys, and AWS KMS provide welcome
improvements in enclave usability, they only solve part of the problem, and
even exacerbate complexity with their disparate interfaces.
Example use cases:
* Now your team can use network-attached shared enclaved keys for AWS SSH
logins or PGP signing of software packages.
* Use enclaved keys from OpenSSL, Curl, and other commonly used software
supporting PKCS #11.
Screenshots
==============================================================
![Apple T2 with Certificate Signing Request Editor](img/T2_with_CSR_editor_overlapped_dark-20230510.2.png) ![Hashicorp Vault with mTLS](img/Vault_with_server_editor_overlapped_dark-20230510.2.png)
![SSH Agent Adapter](img/SSHAgent_dark-20230510.2.png) ![PKCS #11 Adapter](img/PKCS11_dark-20230510.2.png)
![GnuPG SC-Daemon Adapter](img/SCDaemon_dark-20230510.2.png)
Matrix
==============================================================
| Apple T2 | Hashicorp Vault | PIV Cards | AWS KMS | KMIP
--------------|-------------|-------------------|-------------|---------|------
**OpenSSH** | ECDSA | ECDSA, RSA, EdDSA | Coming Soon | "" | ""
**PKCS #11** | ECDSA | ECDSA, RSA | Coming Soon | "" | ""
**GnuPG** | ECDSA, ECDH | ECDSA, RSA | Coming Soon | "" | ""
Notes:
* Apple T2 only supports NIST P-256 ECC keys.
* Hashicorp Vault Transit engine does not support ECC key exchange (ECDH, X25519), nor the RSA decryption mode required by PGP.
* OpenSSH supported through both an SSH Agent service or PKCS #11 module.
* PKCS #11 support for ECDH and RSA decryption/encryption is forthcoming.
* GnuPG supported through an SC-Daemon replacement adapter.
Platforms
==============================================================
KeyMux currently supports macOS. Support for Windows is planned for the near
future. Custom solutions for Linux user and server environments are
available. Please contact info@keymux.com for more details.
Download
==============================================================
KeyMux is [available on the Mac App Store](https://apps.apple.com/us/app/keymux/id6448807557).
Support
==============================================================
See our our support page [here](support.html).
About
==============================================================
Hitzke Labs, LLC
220 Montgomery St, STE 1087
San Francisco, CA 94104
info@hitzkelabs.com
Privacy Policy
==============================================================
See our our privacy policy [here](privacy.html).