README
¶
|
SovraFederated Sovereign Key Management for Critical Infrastructure Sovra is an open source federated control plane for managing cryptographic keys across distributed infrastructure. Organizations deploy independent Sovra instances that communicate securely to enable cross-organizational data sharing while maintaining cryptographic sovereignty. Built for: Research institutions, Government and Military. |
Features
- Federated Architecture - Peer-to-peer control planes
- Cryptographic Sovereignty - Customer-controlled root keys
- Cross-Domain Sharing - Multi-organization collaboration
- Cloud-Agnostic - Deploy anywhere
- Air-Gap Capable - SECRET classification support
- Policy-Driven - OPA-based access control
Installation
Using Docker (Recommended)
# Pull the latest image
docker pull ghcr.io/witlox/sovra:latest
# Run a specific service
docker run -d --name sovra-api ghcr.io/witlox/sovra:latest /app/api-gateway
Download Pre-built Binaries
Download the latest release for your platform from GitHub Releases.
# Linux (amd64)
curl -s https://api.github.com/repos/witlox/sovra/releases/latest \
| grep "browser_download_url.*linux_amd64.tar.gz" \
| cut -d '"' -f 4 | xargs curl -LO
tar xzf sovra_*_linux_amd64.tar.gz
# macOS (arm64)
curl -s https://api.github.com/repos/witlox/sovra/releases/latest \
| grep "browser_download_url.*darwin_arm64.tar.gz" \
| cut -d '"' -f 4 | xargs curl -LO
tar xzf sovra_*_darwin_arm64.tar.gz
# Add to PATH
sudo mv sovra /usr/local/bin/sovra
Build from Source
git clone https://github.com/witlox/sovra.git
cd sovra
make
Quick Start
# Deploy control plane
kubectl apply -k infrastructure/kubernetes/base
# Initialize
./scripts/init-control-plane.sh
# Connect edge node
sovra edge-node register --control-plane https://sovra.example.org
# Federate with partner
sovra federation establish --partner https://partner.example.org
Architecture
Organization A Organization B
┌──────────────────┐ ┌──────────────────┐
│ Sovra Control │◄─mTLS───►│ Sovra Control │
│ ├─ Policy (OPA) │ │ ├─ Policy (OPA) │
│ ├─ Lifecycle │ │ ├─ Lifecycle │
│ └─ Audit │ │ └─ Audit │
└────┬─────────────┘ └────┬─────────────┘
│ mTLS │ mTLS
┌────▼─────────────┐ ┌────▼─────────────┐
│ Edge (Vault) │ │ Edge (Vault) │
└──────────────────┘ └──────────────────┘
See ARCHITECTURE.md
Documentation
See Github Pages
Technology
- Services: Go 1.25+
- Database: PostgreSQL 15+
- Secrets: HashiCorp Vault 1.16+
- Policy: OPA 0.61+
- Networking: mTLS
Community
- GitHub Issues: Bug reports
- GitHub Discussions: Questions
See CONTRIBUTING.md
License
Apache-2.0 - See LICENSE
Citation
If you use this in research, please cite:
@software{sovra,
title={Sovra: Federated Sovereign Key Management for Critical Infrastructure},
author={Pim Witlox},
year={2026},
url={https://github.com/witlox/sovra}
}
Open Source | Community Driven | Digital Sovereignty
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
api-gateway
command
Package main implements the Sovra API Gateway service.
|
Package main implements the Sovra API Gateway service. |
|
sovra-cli
command
Package main implements the sovra-cli command-line tool.
|
Package main implements the sovra-cli command-line tool. |
|
internal
|
|
|
api
Package api handles API gateway functionality.
|
Package api handles API gateway functionality. |
|
audit
Package audit handles immutable audit logging.
|
Package audit handles immutable audit logging. |
|
auth
Package auth provides unified authentication and authorization for Sovra.
|
Package auth provides unified authentication and authorization for Sovra. |
|
auth/authz
Package authz provides OPA-based authorization.
|
Package authz provides OPA-based authorization. |
|
auth/jwt
Package jwt provides JWT token authentication using standard libraries.
|
Package jwt provides JWT token authentication using standard libraries. |
|
auth/mtls
Package mtls provides mTLS client certificate authentication.
|
Package mtls provides mTLS client certificate authentication. |
|
auth/oidc
Package oidc provides OpenID Connect authentication.
|
Package oidc provides OpenID Connect authentication. |
|
backup
Package backup provides backup and restore operations for Sovra.
|
Package backup provides backup and restore operations for Sovra. |
|
compliance
Package compliance provides compliance report generation.
|
Package compliance provides compliance report generation. |
|
config
Package config handles configuration loading from environment and files.
|
Package config handles configuration loading from environment and files. |
|
crk
Package crk implements Customer Root Key management using Shamir Secret Sharing.
|
Package crk implements Customer Root Key management using Shamir Secret Sharing. |
|
edge
Package edge handles edge node (Vault cluster) operations.
|
Package edge handles edge node (Vault cluster) operations. |
|
federation
Package federation handles cross-organization communication and trust.
|
Package federation handles cross-organization communication and trust. |
|
identity
Package identity provides emergency access and account recovery functionality.
|
Package identity provides emergency access and account recovery functionality. |
|
identity/idp
Package idp provides identity provider subject checking.
|
Package idp provides identity provider subject checking. |
|
identity/sync
Package sync provides background IdP group membership synchronization.
|
Package sync provides background IdP group membership synchronization. |
|
messaging
Package messaging implements store-and-forward direct messaging between federated users.
|
Package messaging implements store-and-forward direct messaging between federated users. |
|
policy
Package policy handles OPA-based access control.
|
Package policy handles OPA-based access control. |
|
reconciliation
Package reconciliation provides background IdP reconciliation for SSO-bound admins.
|
Package reconciliation provides background IdP reconciliation for SSO-bound admins. |
|
rotation
Package rotation provides key rotation policy scheduling.
|
Package rotation provides key rotation policy scheduling. |
|
workspace
Package workspace handles shared cryptographic domains for multi-organization data sharing.
|
Package workspace handles shared cryptographic domains for multi-organization data sharing. |
|
pkg
|
|
|
client
Package client provides an HTTP client for the Sovra API.
|
Package client provides an HTTP client for the Sovra API. |
|
errors
Package errors defines custom error types for Sovra.
|
Package errors defines custom error types for Sovra. |
|
metrics
Package metrics provides Prometheus metrics instrumentation for Sovra services.
|
Package metrics provides Prometheus metrics instrumentation for Sovra services. |
|
models
Package models defines the core domain types for Sovra.
|
Package models defines the core domain types for Sovra. |
|
opa
Package opa provides a client for interacting with Open Policy Agent servers.
|
Package opa provides a client for interacting with Open Policy Agent servers. |
|
postgres
Package postgres provides PostgreSQL repository implementations.
|
Package postgres provides PostgreSQL repository implementations. |
|
telemetry
Package telemetry provides OpenTelemetry tracing for Sovra services.
|
Package telemetry provides OpenTelemetry tracing for Sovra services. |
|
vault
Package vault provides authentication backend configuration for HashiCorp Vault.
|
Package vault provides authentication backend configuration for HashiCorp Vault. |
|
tests
|
|
|
integration
Package integration provides integration test infrastructure.
|
Package integration provides integration test infrastructure. |
|
mocks
Package mocks provides shared mock implementations for testing.
|
Package mocks provides shared mock implementations for testing. |
|
testutil
Package testutil provides test utilities and helpers.
|
Package testutil provides test utilities and helpers. |
|
testutil/inmemory
Package inmemory provides in-memory implementations for testing.
|
Package inmemory provides in-memory implementations for testing. |
Click to show internal directories.
Click to hide internal directories.