CryptoServe

Cryptography as a service. Post-quantum ready, FIPS 140-2/3 compliant, context-driven encryption with zero-config SDKs.

"Life is hard but cryptography doesn't have to be."

Website · Crypto Census · Docs · SDK · Platform

---

CryptoServe is an open-source cryptographic platform with three layers:

• CLI -- Scan codebases for weak crypto, generate CBOMs, enforce CI/CD gates, encrypt files. Zero dependencies, works offline.
• SDK -- Python and Node.js libraries for encryption, hashing, signatures, JWT tokens, and key exchange. Context-aware algorithm selection with post-quantum support (ML-KEM, ML-DSA, SLH-DSA).
• Platform -- Self-hosted server with centralized key management, automatic rotation, policy enforcement, FIPS 140-2/3 compliance, and audit logging.

---

Try It Now

npx cryptoserve scan .

That's it. Scans your project for cryptographic libraries, algorithms, weak patterns, and hardcoded secrets across 6 languages. No config, no server, zero npm dependencies.

Found 4 crypto libraries, 3 source algorithms, 1 weak pattern
Quantum readiness: 40/100 (2 quantum-vulnerable algorithms)

Install

# Node.js (zero dependencies, Node 18+)
npm install -g cryptoserve

# Python
pip install cryptoserve

What It Does

Scan -- Find every cryptographic dependency, algorithm, weak pattern, and hardcoded secret in your codebase. Supports JavaScript/TypeScript, Go, Python, Java/Kotlin, Rust, and C/C++.

Assess -- Get a quantum readiness score with SNDL (Store Now, Decrypt Later) risk analysis and migration recommendations based on NIST FIPS 203/204/205 standards.

Generate -- Export a Cryptographic Bill of Materials (CBOM) in CycloneDX or SPDX format for supply chain compliance.

Enforce -- Add cryptoserve gate to your CI pipeline to block builds that use weak algorithms or fail quantum readiness thresholds.

Common Commands

cryptoserve scan .                          # Scan project (6 languages, 130+ algorithms)
cryptoserve scan . --binary                 # Include binary signature detection
cryptoserve pqc                             # Post-quantum readiness assessment
cryptoserve cbom --format cyclonedx         # Generate CBOM
cryptoserve gate . --fail-on-weak           # CI/CD quality gate
cryptoserve encrypt "secret" -p mypassword  # Offline encryption
cryptoserve hash-password --password mypass  # Password hashing (CI mode)
cryptoserve vault set API_KEY sk-abc123      # Encrypted secret storage

See the full CLI reference for all commands and flags.

Built-in Help

cryptoserve help              # All commands and flags
cryptoserve scan --help       # Scan-specific options
cryptoserve --version         # Current version

Every command supports --help for detailed usage.

Supported Languages

Language	Manifest	Source Detection
JavaScript/TypeScript	package.json	Imports, algorithm literals, weak patterns
Go	go.mod	crypto/* stdlib, x/crypto, circl
Python	requirements.txt, pyproject.toml	hashlib, cryptography, PyCryptodome
Java/Kotlin	pom.xml	Cipher.getInstance, MessageDigest, KeyPairGenerator
Rust	Cargo.toml	aes-gcm, ring, ed25519-dalek, pqcrypto
C/C++	--	OpenSSL EVP_*, RSA_*, SHA*_Init

Use Cases

Scenario	Command	Time
Audit codebase for weak crypto before compliance review	cryptoserve scan . && cryptoserve cbom --format cyclonedx	~30s
Block quantum-vulnerable algorithms in CI	cryptoserve gate . --fail-on-weak --min-score 70	~10s
Assess post-quantum readiness for your organization	cryptoserve pqc --profile healthcare --verbose	~5s
Encrypt a file offline without any server	cryptoserve encrypt --file data.csv --password $SECRET	~1s
Generate CBOM for supply chain compliance	cryptoserve cbom . --format spdx --output cbom.json	~15s

CI/CD Integration

Add to any CI pipeline:

- name: Crypto gate
  run: npx cryptoserve gate . --fail-on-weak --max-risk medium --format sarif

The gate command exits non-zero when violations are found. Use --format sarif to upload results to GitHub's Security tab.

Exit Codes

Code	Meaning
0	Success (scan clean, gate passed)
1	Failure (gate failed, crypto issues found, invalid input)

---

SDK Usage

Node.js SDK (offline, zero dependencies)

ES module SDK for local scanning, analysis, and encryption. No server required.

import { scanProject } from 'cryptoserve/lib/scanner.mjs';
import { analyzeOffline } from 'cryptoserve/lib/pqc-engine.mjs';
import { generateCbom, toCycloneDx } from 'cryptoserve/lib/cbom.mjs';
import { encrypt, decrypt } from 'cryptoserve/lib/local-crypto.mjs';

See the Node.js SDK README.

Python SDK v1.4.3 (server-connected)

The Python SDK adds managed key management and context-aware algorithm selection when connected to a CryptoServe server:

pip install cryptoserve                  # Basic
pip install cryptoserve[password]         # With argon2 support

from cryptoserve import CryptoServe

crypto = CryptoServe(app_name="my-app", team="platform")

ciphertext = crypto.encrypt(b"data", context="user-pii")
plaintext = crypto.decrypt(ciphertext, context="user-pii")

Key features: encrypt/decrypt (bytes and strings), password hashing (scrypt + argon2), JWT tokens, local mode (no server), async support.

See the Python SDK docs.

---

Self-Hosted Platform

The optional server adds centralized key management, policy enforcement, and a dashboard. The CLI works fully standalone without it.

Quick start

docker run -d -p 8003:8003 -p 3000:3000 -v cryptoserve-data:/data ghcr.io/ecolibria/crypto-serve

API: http://localhost:8003 | Dashboard: http://localhost:3000

Multi-container (production)

curl -fsSL https://raw.githubusercontent.com/ecolibria/crypto-serve/main/scripts/quickstart.sh | sh

Downloads the compose file, generates secrets, and starts PostgreSQL + backend + frontend. See the production deployment guide.

Platform features

Feature	Description
Key Management	Automatic rotation, versioning, HKDF derivation, Shamir secret sharing, HSM/KMS backends
Context Model	5-layer algorithm selection: sensitivity, compliance, threats, access patterns, constraints
Policy Engine	Declarative rules with CI/CD gate enforcement
Multi-Tenancy	Per-tenant isolation with separate keys and policies
Audit & Compliance	SIEM integration, FIPS 140-2/3 modes
Identity	OAuth (GitHub/Google/Azure/Okta), RBAC, SDK token management

---

Documentation

Resource	Description
Getting Started	Installation and quickstart
CLI Reference	All commands, flags, and examples
Python SDK	SDK reference
API Reference	REST API
Architecture	Context model, policy engine, key management
Post-Quantum	ML-KEM, ML-DSA, SLH-DSA, hybrid key exchange
Security	FIPS compliance, threat model

Global Crypto Census

See what cryptography the open-source ecosystem actually uses:

npx cryptoserve census

Scans npm, PyPI, crates.io, Go, and Maven package registries. Live dashboard at census.cryptoserve.dev.

Security

Report vulnerabilities via GitHub Security Advisories. See SECURITY.md.

Contributing

See CONTRIBUTING.md.

License

Apache License 2.0. See LICENSE.