Secure infrastructure
for high-trust systems.

Data protection, key management, PKI, secrets, and memory-safe systems research. Cross-language SDKs, self-hosted services, no vendor lock-in.

Explore Projects GitHub Docs
Projects

Four pillars. One platform.

Each project stands alone. Together they cover encryption, key lifecycle, certificates, and secrets management.

Data Protection

Format-preserving encryption (NIST FF1/FF3), AES-GCM, masking, and hashing. Nine languages, thirteen platform integrations.

9 SDKs shipped

Manage Keys

KMIP 1.4 server with full key lifecycle, server-side crypto, mTLS, and audit logging. Client libraries for nine languages.

Server + 9 clients shipped

Issue Certificates

Certificate authority with CA hierarchy, issuance, revocation (CRL + OCSP), and CSR support. Single binary. REST API and CLI.

PKI server shipped

Manage Secrets

Application secrets management. Lightweight, self-hosted, no external dependencies.

Coming soon
Why Cyphera

Data protection without the platform tax.

Open-source KMIP

A real KMIP 1.4 server with client libraries for nine languages. Key lifecycle, server-side crypto, mTLS, audit logging. Works with our server or any KMIP-compliant system.

PKI in one binary

Root and intermediate CAs, certificate issuance, CRL, OCSP, CSR support. REST API and CLI. No shell scripts, no heavyweight enterprise CA software.

NIST-compliant data protection

FPE (NIST SP 800-38G FF1/FF3), AES-GCM, masking, and hashing. Encrypt data without changing its format. Nine languages, thirteen platform integrations. Tested against all NIST vectors.

No lock-in. No license keys.

Self-host everything. No phone-home, no usage caps, no feature gates. The SDKs, KMIP server, and PKI server are Apache 2.0.

Infrastructure

Run your own.

Self-contained servers. Single binary. SQLite. Docker ready. No external dependencies, no license keys, no phone-home.

Open KMIP Server

v0.1.0-alpha.1

KMIP 1.4 key management server with full key lifecycle, server-side cryptography, and a management dashboard.

  • 27 KMIP operations · TTLV binary protocol
  • mTLS authentication · REST API
  • AES-GCM, ChaCha20, RSA/ECDSA, HMAC
  • Key state machine · audit log
  • Embedded dashboard · Prometheus metrics
  • 9 client libraries (Go, Java, Python, Node, Rust, .NET, PHP, Ruby, Swift)
GitHub

Open PKI Server

v0.1.0-alpha.1

Certificate authority and PKI lifecycle server. Create CAs, issue certificates, manage revocation, and run mTLS.

  • Root and intermediate CAs (Ed25519, ECDSA)
  • Certificate issuance with profile-based policy
  • CSR support · private key never leaves the requester
  • CRL distribution · OCSP responder
  • CLI + REST API + embedded dashboard
  • Single binary · SQLite · Docker ready
GitHub
FAQ

Common questions

What Cyphera is, what it protects, and how it's licensed.

What is Cyphera?

Cyphera is a secure-infrastructure platform for high-trust systems. It brings together four building blocks — data protection, key management, PKI, and secrets management — as cross-language SDKs and self-hosted servers. Each piece works on its own or together, with no vendor lock-in. Cyphera is built by Horizon Digital Engineering LLC and released under the Apache 2.0 license.

What can I protect with Cyphera?

Field-level data, encryption keys, certificates, and application secrets. The data-protection SDKs apply format-preserving encryption (NIST FF1/FF3), AES-GCM, masking, and hashing so values keep their original format. The KMIP server manages the full key lifecycle, the PKI server issues and revokes certificates, and the secrets manager (coming soon) handles application secrets.

Is Cyphera open source, and what does it cost?

Yes. The SDKs, the KMIP server, and the PKI server are open source under Apache 2.0 — free to self-host with no license keys, usage caps, feature gates, or phone-home. You run it on your own infrastructure.

Which languages and platforms does Cyphera support?

Nine languages — Java, Rust, Go, Python, Node/JavaScript, .NET, PHP, Ruby, and Swift — plus thirteen platform integrations including BigQuery, Databricks, Snowflake, Postgres, Trino, Kafka Connect, Flink, NiFi, Spring, and Hibernate.

Is the encryption standards-compliant?

The data-protection engines implement NIST SP 800-38G format-preserving encryption (FF1/FF3) and AES-GCM, and are tested against the published NIST test vectors. The KMIP server speaks KMIP 1.4; the PKI server supports CRL and OCSP revocation.

Who is Cyphera for, and can I self-host everything?

Cyphera is built for teams that handle regulated or sensitive data — fintech, healthcare, government, and the platform engineers who serve them. Every server is a single binary backed by SQLite, Docker-ready, with no external dependencies, so you can self-host the whole stack inside your own environment.

Read the SDK source.

The Cyphera SDKs, KMIP server, and PKI server are Apache 2.0 open source. Star us, fork us, file issues, send PRs.

Star on GitHub Browse all repos