Comment on page

Introduction to Ockam

Build secure-by-design applications that can trust all data-in-motion.
Ockam is a suite of programming libraries, command line tools, and managed cloud services to orchestrate end-to-end encryption, mutual authentication, key management, credential management, and authorization policy enforcement – at massive scale.
Modern applications are distributed and have an unwieldy number of interconnections that must trustfully exchange data. To trust data-in-motion, applications need end-to-end guarantees of data authenticity, integrity, and confidentiality. To be private and secure-by-design, applications must have granular control over every trust and access decision. Ockam allows you to add these controls and guarantees to any application.

Use Cases

Create secure communication with private databases, from anywhere. No longer do you need to expose your data to the public internet with service ports.
Guarantee data authenticity and integrity of events from producers all-the-way to end consumers. End-to-end encrypt data-in-motion through Kafka.
Authenticate and authorize every access decision. Easily add fine-grained, identity-driven controls to enforce enterprise policies everywhere.

Quick Start

Let's build a solution for a very common secure communication topology that applies to many real world use cases.
An application service and an application client running in two private networks wish to securely communicate with each other without exposing ports on the Internet. In a few simple commands, we’ll make them safely talk to each other through an End-to-End Encrypted Cloud Relay.

Install Ockam Command

First, let’s install Ockam Command. Ockam Command is our Command Line Interface (CLI) to build and orchestrate secure distributed applications using Ockam.
Other Systems
If you use Homebrew, you can install Ockam using brew.
# Tap and install Ockam Command
brew install build-trust/ockam/ockam
This will download a precompiled binary and add it to your path. If you don’t use Homebrew, you can also install on Linux and MacOS systems using curl. See instructions for other systems in the next tab.
On Linux and MacOS, you can download precompiled binaries for your architecture using curl.
curl --proto '=https' --tlsv1.2 -sSfL | bash
This will download a precompiled binary and add it to your path. If the above instructions don't work on your machine, please post a question, we’d love to help.

End-to-end encrypted and mutually authenticated communication

Next, step through the following commands to setup secure and private communication between our application service and an application client.
Run on your machine
Run in the browser
# Check that everything was installed correctly by enrolling with Ockam Orchestrator.
# This will create a Space and Project for you in Ockam Orchestrator and provision an
# End-to-End Encrypted Relay in your `default` project at `/project/default`.
ockam enroll
# Start an application service, listening on a local IP and port, that clients would access
# through the cloud encrypted relay. We'll use a simple HTTP server for this first example
# but this could be any other application service.
python3 -m http.server --bind 6000
# In a new terminal window, setup a tcp-outlet that makes a TCP service available at the given
# address `6000`. We can use this to send raw TCP traffic to the HTTP server on port `6000`.
# Finally create a relay in your default Orchestrator project. Relays make it possible to
# establish end-to-end protocols with services operating in remote private networks, without
# requiring a remote service to expose listening ports to an outside hostile network like the
# Internet.
ockam tcp-outlet create --to 6000
ockam relay create
# Setup a local tcp-inlet to allow raw TCP traffic to be received on port `7000` before
# it is forwarded. A TCP inlet is a way of defining where a node should be listening for
# connections, and where it should forward that traffic to.
ockam tcp-inlet create --from 7000
# Access the application service, that may be in a remote private network though
# the end-to-end encrypted secure channel, via your private and encrypted cloud relay.
curl --head

Design Concepts

Private and secure by design

In the example above, we’ve created two nodes and established an end-to-end secure channel between them through an encrypted cloud relay. For the sake of simplicity, we ran both ends on a single machine but they could also be run on completely separate machines with the same result: an end-to-end encrypted and mutually authenticated secure channel.
Distributed applications that are connected in this way can communicate without the risk of spoofing, tampering, or eavesdropping attacks irrespective of transport protocols, communication topologies, and network configuration. As application data flows across data centers, through queues and caches, via gateways and brokers - these intermediaries, like the cloud relay in the above example, can facilitate communication but cannot eavesdrop or tamper data.
You can establish secure channels across networks and clouds over multi-hop, multi-protocol routes to build private and secure by design distributed applications that have a small vulnerability surface and full control over data authenticity, integrity, and confidentiality.

Trust for data-in-motion

Behind the scenes, the above commands generated unique cryptographically provable identities and saved corresponding keys in a vault. Your orchestrator project was provisioned with a managed credential authority and every node was setup to anchor trust in credentials issued by this authority. Identities were issued project membership credentials and these cryptographically verifiable credentials were then combined with attribute based access control policies to setup a mutually authenticated and authorized end-to-end secure channel.
Your applications can make granular access control decisions at every request because they can be certain about the source and integrity of all data and instructions. You place zero implicit trust in network boundaries and intermediaries to build applications that have end-to-end application layer trust for all data in motion.

Powerful protocols, made simple

Underlying all of this is a variety of cryptographic and messaging protocols. We’ve made these protocols safe and easy to use in any application.
No more having to design error-prone ad-hoc ways to distribute sensitive credentials and roots of trust. Ockam’s integrated approach takes away this complexity and gives you simple tools for:

Features of Ockam

End-to-end data authenticity, integrity, and privacy in any communication topology

  • Create end-to-end encrypted, authenticated secure channels over any transport topology.
  • Create secure channels over multi-hop, multi-protocol routes - TCP, UDP, WebSockets, BLE, etc.
  • Provision encrypted relays for applications distributed across many edge, cloud and data-center private networks.
  • Make any protocol secure by tunneling it through mutually authenticated and encrypted portals.
  • Bring end-to-end encryption to enterprise messaging, pub/sub and event streams - Kafka, Kinesis, RabbitMQ etc.

Identity-based, policy driven, application layer trust – granular authentication and authorization

  • Generate cryptographically provable unique identities.
  • Store private keys in safe vaults - hardware secure enclaves and cloud key management systems.
  • Operate scalable credential authorities to issue lightweight, short-lived, revokable, attribute-based credentials.
  • Onboard fleets of self-sovereign application identities using secure enrollment protocols.
  • Rotate and revoke keys and credentials – at scale, across fleets.
  • Define and enforce project-wide attribute based access control policies - ABAC, RBAC or ACLs.
  • Integrate with enterprise identity providers and policy providers for seamless employee access.

Deep Dives

Read more about how teams are using Ockam for many use cases across industries or dive into our step-by-step reference on our command line and rust libraries.
Command line tools to build and orchestrate highly scalable and secure distributed applications. Orchestrate nodes, vaults, identities, credentials, secure channels, relays, portals and more.
Rust crates to build secure by design applications for any environment – from highly scalable cloud infrastructure to tiny battery operated microcontroller based devices.

Get help

We are here to help you build with Ockam. If you need help, please reach out to us!