Lux Docs

Lux HSM

Unified hardware security module for blockchain infrastructure

Lux HSM provides a single Go interface for signing and verification across six different backend providers — from cloud HSMs to post-quantum algorithms. All secrets are managed through Lux KMS — never stored as plaintext.

Core Interfaces

type Signer interface {
    Sign(ctx context.Context, keyID string, message []byte) ([]byte, error)
    Verify(ctx context.Context, keyID string, message, signature []byte) (bool, error)
    Provider() string
}

type PasswordProvider interface {
    GetPassword(ctx context.Context, keyID string) (string, error)
}

Signing Providers

ProviderAlgorithmUse Case
awsECDSA P-256 via KMSProduction cloud signing
gcpEC_SIGN_P256_SHA256Production cloud signing
azureES256 via Key VaultProduction cloud signing
zymbitECDSA P-256 via PKCS#11Edge/IoT hardware signing
mldsaML-DSA-65 (FIPS 204)Post-quantum signing
localECDSA P-256 in-memoryDevelopment and testing

Password Providers

ProviderSourceUse Case
awsAWS KMS DecryptZapDB password from KMS
gcpGCP Cloud KMS DecryptZapDB password from KMS
azureAzure Key Vault unwrapKeyZapDB password from Key Vault
envEnvironment variableDevelopment only (never production)
fileFile on diskK8s mounted secrets (via KMS operator)

Quick Example

package main

import (
    "context"
    "fmt"
    "github.com/luxfi/hsm"
)

func main() {
    // Create a signer
    signer, _ := hsm.NewSigner("aws", map[string]string{
        "region": "us-east-1",
    })

    ctx := context.Background()
    keyID := "arn:aws:kms:us-east-1:123456789:key/my-signing-key"

    // Sign
    sig, _ := signer.Sign(ctx, keyID, []byte("hello world"))

    // Verify
    ok, _ := signer.Verify(ctx, keyID, []byte("hello world"), sig)
    fmt.Println("Valid:", ok) // true
}

Architecture

┌─────────────────────────────────────────────┐
│                  Manager                     │
│  ┌──────────────────┐  ┌──────────────────┐ │
│  │  PasswordProvider │  │     Signer       │ │
│  └────────┬─────────┘  └────────┬─────────┘ │
│           │                     │            │
│  ┌────────▼─────────────────────▼─────────┐ │
│  │         Factory (NewSigner / etc)       │ │
│  └────┬────┬────┬────┬────┬────┬──────────┘ │
│       │    │    │    │    │    │             │
│      AWS  GCP Azure Zymbit MLDSA Local      │
└─────────────────────────────────────────────┘
         │    │    │    │
    ┌────▼────▼────▼────▼────┐
    │   Cloud / Hardware /    │
    │   Software Backends     │
    └─────────────────────────┘

Ringtail API Reference

Go API for key generation, threshold signing, and verification

Installation

Install the Lux HSM Go module

On this page

Core InterfacesSigning ProvidersPassword ProvidersQuick ExampleArchitecture