Greenfield Rust Backend

Fit today: Excellent. This is KeyRack’s primary use case.

Who

Backend engineers building a new service or platform in Rust who need key management from day one — cloud platforms, SaaS startups, fintech services, or any Rust service handling sensitive data.

The problem

Building key management yourself means choosing crypto libraries, designing rotation, building audit trails, wiring HSM support, and getting all of it correct from a security standpoint.

How KeyRack helps

KeyRack ships as both a standalone service (gRPC/REST) and an embeddable library (keyrack-core).

As a service

docker compose up -d keyrack-service

curl -s http://localhost:8080/v1/keys -X POST \
  -d '{"key_spec": "AES_256", "description": "user-data-dek"}'

Your app talks to KeyRack over the network. KeyRack handles key storage, rotation, audit events, and HSM integration.

As a library

[dependencies]
keyrack-core = "0.1"

use keyrack_core::provider::software::SoftwareProvider;
use keyrack_core::provider::CryptoProvider;

let provider = SoftwareProvider::new();
let key = provider.generate_key(&KeySpec::Aes256).await?;
let ct = provider.encrypt(&key, plaintext, aad).await?;

Embed key management directly. Swap in Pkcs11Provider or KmipProvider for HSM-backed production without changing application code.

What’s ready today (v0.1)

• Full key lifecycle over gRPC and REST
• AES-256-GCM, Ed25519, ECDSA P-256, RSA 2048/3072/4096
• Software, PKCS#11, and KMIP client providers
• Vault Transit provider
• Key hierarchy and cooperative rotation protocol
• Prometheus metrics and structured audit events
• Docker Compose quickstart

What’s missing for production

• Published crates on crates.io
• Stable API guarantees (pre-1.0)
• Production deployment guides (multi-node HA — commercial)
• SDK wrapper (currently raw gRPC/REST)

See Developer guide and Operator guide.