explaingit

build-trust/ockam

4,624RustAudience · developerComplexity · 4/5Setup · hard

TLDR

A set of Rust and Elixir libraries for building distributed applications where messages stay encrypted end-to-end even when passing through queues, brokers, and cloud services, not just individual connections.

Mindmap

mindmap
  root((ockam))
    What it does
      End-to-end encryption
      Mutual authentication
      Distributed messaging
    Core features
      Secure channels
      Key rotation at scale
      Attribute-based access
      Hardware security modules
    Supported languages
      Rust
      Elixir
    Use cases
      Kafka message encryption
      Private network access
      Multi-hop secure routes
    Problem solved
      TLS gaps in queues
      Intermediary decryption
      Message level protection
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Set up an encrypted channel between two services so messages stay protected even as they pass through a Kafka broker or cloud relay

USE CASE 2

Secure remote access to a service running in a private network behind a NAT firewall without opening inbound firewall rules

USE CASE 3

Add mutual authentication so both ends of a distributed connection verify each other's identity before any data flows

USE CASE 4

Enforce fine-grained access control rules that restrict which services can send specific commands to which endpoints

Tech stack

RustElixir

Getting it running

Difficulty · hard Time to first run · 1h+

Requires Rust toolchain, multi-hop scenarios involve configuring relays and cloud orchestrators.

License not described in the explanation.

In plain English

Ockam is a set of programming libraries for building distributed applications where messages stay encrypted from the moment they leave the sender to the moment they arrive at the recipient, even when those messages pass through many intermediate systems like message queues, gateways, or cloud services along the way. Modern applications rarely send data in a straight line. A message might travel from one service to a queue, through a broker, across data centers, and then to its destination. Standard encryption protocols like TLS only protect each individual connection in that chain, they do not protect the message while it sits in a queue or passes through an intermediary that decrypts and re-encrypts it. Ockam solves this by protecting the message itself, not just the connections it travels over. The core features are: encrypted secure channels with mutual authentication (both sides prove who they are before any data flows), key generation and rotation at scale for large fleets of services, and attribute-based access control (fine-grained rules about who can send what commands to whom). It also supports hardware security modules for storing cryptographic keys in dedicated tamper-resistant chips. The README includes a short example in Rust showing two programs (Alice and Bob) establishing an encrypted channel and passing a message through it. When the message enters the channel it is encrypted, when it exits at the other end it is decrypted. This same pattern extends to multi-hop routes that pass through Kafka, NAT firewalls, or cloud relays. Libraries are available for Rust and Elixir, with more languages mentioned as planned. The repository is actively developed and the README links to hands-on guides covering several concrete scenarios, including secure remote access tunnels to services in private networks and transparent encryption of any application-layer protocol.

Copy-paste prompts

Prompt 1
Using Ockam in Rust, show me the minimal code to set up an encrypted channel between two services so that messages are encrypted at the sender and only decrypted at the final recipient, not in between.
Prompt 2
I have two microservices that communicate through a Kafka topic. Using Ockam, show me how to add end-to-end encryption so the Kafka broker never sees the plaintext message content.
Prompt 3
Using Ockam, set up a secure tunnel that lets me access a web service running on a private server behind NAT from my laptop without opening any inbound firewall ports.
Prompt 4
Explain how Ockam's attribute-based access control works and show me a Rust code example that restricts one service from sending admin commands to another.
Open on GitHub → Explain another repo

← build-trust on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.