# ockam-network/ockam

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/ockam-network-ockam).**

4,628 stars · 557 forks · Rust · Apache-2.0

## Links

- GitHub: https://github.com/ockam-network/ockam
- Homepage: https://docs.ockam.io/
- awesome-repositories: https://awesome-repositories.com/repository/ockam-network-ockam.md

## Description

Ockam is an end-to-end encryption framework and distributed identity provider designed to establish secure communication between applications and devices. It provides a secure network overlay that utilizes cryptographic identities and attribute-based access control to implement zero trust network access.

The project distinguishes itself through metadata-driven multi-hop routing and a pluggable transport layer, allowing encrypted traffic to move across diverse network topologies without requiring virtual IP overlays. It specifically enables secure tunneling for legacy applications by wrapping raw TCP traffic into encrypted channels, allowing private network connectivity and firewall bypass via outbound relays.

The platform covers a broad range of capabilities, including distributed identity management, cryptographic credential issuance and verification, and the execution of stateful concurrent actors. It also provides tools for cloud-scale node provisioning and automated deployment using infrastructure-as-code templates.

## Tags

### Security & Cryptography

- [End-to-End Encryption Protocols](https://awesome-repositories.com/f/security-cryptography/end-to-end-encryption-protocols.md) — Provides a framework for orchestrating end-to-end encrypted communication channels between distributed applications and devices.
- [End-to-End Encryption](https://awesome-repositories.com/f/security-cryptography/privacy-data-protection/data-encryption/end-to-end-encryption.md) — Secures messages between distributed devices and services so data remains private throughout the entire transmission path. ([source](https://cdn.jsdelivr.net/gh/ockam-network/ockam@main/README.md))
- [Attribute-Based Access Control](https://awesome-repositories.com/f/security-cryptography/attribute-based-access-control.md) — Restricts resource access using attribute-based controls to define granular permissions based on user or device properties. ([source](https://docs.ockam.io/video-tutorials/authentication-authorization-non-human-identity-and-more.md))
- [Bidirectional Secure Connectivity](https://awesome-repositories.com/f/security-cryptography/bidirectional-secure-connectivity.md) — Creates encrypted tunnels between distributed environments using outgoing connections to remove the need for VPNs or firewall changes. ([source](https://docs.ockam.io/video-tutorials/how-product-managers-should-think-about-secure-connections-to-customer-data.md))
- [Client Access Authorizations](https://awesome-repositories.com/f/security-cryptography/client-access-authorizations.md) — Restricts channel establishment based on specific cryptographic identifiers or credentials issued by a trusted authority. ([source](https://docs.ockam.io/documentation/protocols/secure-channels.md))
- [Verifiable Credential Issuance](https://awesome-repositories.com/f/security-cryptography/credential-managers/decentralized-identity-credentials/verifiable-credential-issuance.md) — Provides signed attestations from an authority to verify entity attributes and membership for scalable trust. ([source](https://docs.ockam.io/video-tutorials/the-trick-behind-ockams-magic...how-ockam-works..md))
- [Cryptographic Identity Generation](https://awesome-repositories.com/f/security-cryptography/cryptographic-identity-generation.md) — Generates unique cryptographic identities to represent users or devices for securing communications. ([source](https://docs.ockam.io/documentation/libraries/rust/vaults-and-identities.md))
- [Cryptographic Key Management](https://awesome-repositories.com/f/security-cryptography/cryptographic-key-management.md) — Generates, retrieves, and deletes secret signing and ephemeral keys within a secure hardware or software vault. ([source](https://docs.ockam.io/documentation/protocols/keys.md))
- [Distributed Identity Providers](https://awesome-repositories.com/f/security-cryptography/distributed-identity-providers.md) — Provides a system for creating and managing verifiable cryptographic identities and attribute-based credentials to establish trust between nodes.
- [Encrypted Tunneling](https://awesome-repositories.com/f/security-cryptography/encrypted-tunneling.md) — Creates encrypted and authenticated tunnels for data transfer across diverse transport topologies and multi-hop routes. ([source](https://docs.ockam.io/documentation/libraries/rust.md))
- [Attribute-based Access Controls](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/access-control-models/attribute-based-access-controls.md) — Provides an authorization engine that restricts resource access by evaluating the cryptographic attributes of authenticated identities.
- [Credential Issuance and Revocation](https://awesome-repositories.com/f/security-cryptography/identity-access-management/credential-lifecycle-management/credential-issuance-and-revocation.md) — Operates credential authorities to distribute, rotate, and revoke attribute-based credentials across device fleets. ([source](https://docs.ockam.io/documentation/libraries/rust.md))
- [Identity Management](https://awesome-repositories.com/f/security-cryptography/identity-access-management/identity-management.md) — Creates and manages verifiable digital identities to enable secure communication and prevent behavior correlation. ([source](https://cdn.jsdelivr.net/gh/ockam-network/ockam@main/README.md))
- [Identity Management](https://awesome-repositories.com/f/security-cryptography/identity-management.md) — Manages verifiable cryptographic identities and credentials to establish trust between nodes in decentralized environments. ([source](https://docs.ockam.io/video-tutorials/the-trick-behind-ockams-magic...how-ockam-works..md))
- [Mutual Authentication](https://awesome-repositories.com/f/security-cryptography/mutual-authentication.md) — Establishes secure channels by verifying cryptographic identifiers and signed credentials during a mutual handshake.
- [Policy-Based Access Control](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control.md) — Applies granular authorization rules using attribute-based, role-based, or access control list models to govern resource access. ([source](https://docs.ockam.io/documentation/command.md))
- [AEAD Encryptions and Decryptions](https://awesome-repositories.com/f/security-cryptography/privacy-data-protection/data-encryption/end-to-end-encryption/media-encryption/stream-encryption-and-decryption/aead-encryptions-and-decryptions.md) — Performs AEAD encryption and decryption on plaintext using secret keys stored in a secure vault. ([source](https://docs.ockam.io/documentation/protocols/keys.md))
- [Authenticated Encryption Channels](https://awesome-repositories.com/f/security-cryptography/secure-communication-clients/authenticated-encryption-channels.md) — Creates encrypted connections between nodes that guarantee data authenticity, integrity, and confidentiality. ([source](https://docs.ockam.io/documentation/command/secure-channels.md))
- [Secure Node Provisioning](https://awesome-repositories.com/f/security-cryptography/secure-node-networking/secure-node-provisioning.md) — Provisions encrypted inlet and outlet nodes on cloud infrastructure to establish secure tunnels between distributed services. ([source](https://docs.ockam.io/documentation/command/guides/aws-marketplace/ockam-node.md))
- [Identity-Based Trust Anchors](https://awesome-repositories.com/f/security-cryptography/security-trust-models/cluster-identity-trust-establishment/identity-based-trust-anchors.md) — Establishes a secure communication channel by explicitly authorizing specific known cryptographic identifiers. ([source](https://docs.ockam.io/documentation/command/credentials.md))
- [Authority-Based Trust Anchors](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers/trust-anchor-management/authority-based-trust-anchors.md) — Establishes secure communication by validating a credential issued by a trusted third-party authority. ([source](https://docs.ockam.io/documentation/command/credentials.md))
- [Credential-Based Trust Hierarchies](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers/trust-anchor-management/external-trust-bootstrapping/credential-based-trust-hierarchies.md) — Scales trust across distributed nodes using a hierarchy of issued and verified cryptographic attestations.
- [Verifiable Credential Verification](https://awesome-repositories.com/f/security-cryptography/verifiable-credential-verification.md) — Validates the cryptographic signatures and authenticity of attribute-based credentials against trusted issuers. ([source](https://docs.ockam.io/documentation/libraries/rust/credentials.md))
- [Zero Trust Access](https://awesome-repositories.com/f/security-cryptography/zero-trust-access.md) — Controls resource access using cryptographic identities and attribute-based policies to eliminate reliance on traditional VPNs.
- [Cryptographic Signing Methods](https://awesome-repositories.com/f/security-cryptography/asymmetric-signing/cryptographic-signing-methods.md) — Signs data using cryptographic algorithms while ensuring secret keys remain within a secure boundary. ([source](https://docs.ockam.io/documentation/protocols/keys.md))
- [Encryption Key Management](https://awesome-repositories.com/f/security-cryptography/encryption-key-management.md) — Updates symmetric keys periodically using a nonce-based sliding window to maintain forward secrecy. ([source](https://docs.ockam.io/documentation/protocols/secure-channels.md))
- [End-to-End Encrypted Messaging Frameworks](https://awesome-repositories.com/f/security-cryptography/end-to-end-encrypted-messaging-frameworks.md) — Orchestrates cryptographic identities, mutual authentication, and secure communication channels between distributed applications.
- [Layered Secure Tunneling](https://awesome-repositories.com/f/security-cryptography/end-to-end-encryption-protocols/layered-secure-tunneling.md) — Nests multiple secure channels within one another to provide layered authentication across complex network paths. ([source](https://docs.ockam.io/video-tutorials/the-trick-behind-ockams-magic...how-ockam-works..md))
- [Legacy Protocol Tunneling](https://awesome-repositories.com/f/security-cryptography/end-to-end-encryption-protocols/legacy-protocol-tunneling.md) — Wraps raw TCP traffic into encrypted routed messages to provide secure tunneling for legacy protocols.
- [Identity & Key Management](https://awesome-repositories.com/f/security-cryptography/identity-key-management.md) — Secures private keys within hardware, cloud management systems, or file systems to prevent extraction. ([source](https://docs.ockam.io/documentation/command/identities.md))
- [Diffie-Hellman Exchanges](https://awesome-repositories.com/f/security-cryptography/key-exchange-protocols/diffie-hellman-exchanges.md) — Computes shared secrets using public keys to establish secure communication channels via Diffie-Hellman. ([source](https://docs.ockam.io/documentation/protocols/keys.md))
- [Identity Key Attestations](https://awesome-repositories.com/f/security-cryptography/public-key-authentication/identity-key-attestations.md) — Signs attestations that bind digital identities to specific public keys used for issuing credentials or securing channels. ([source](https://docs.ockam.io/documentation/protocols/identities.md))
- [External Trust Bootstrapping](https://awesome-repositories.com/f/security-cryptography/security/utilities/certificate-trust-managers/trust-anchor-management/external-trust-bootstrapping.md) — Scales trust from a single anchor to many entities through enrollment protocols that distribute credentials over secure channels. ([source](https://docs.ockam.io/video-tutorials/the-trick-behind-ockams-magic...how-ockam-works..md))
- [Traffic Filtering](https://awesome-repositories.com/f/security-cryptography/traffic-filtering.md) — Evaluates incoming and outgoing messages against access control rules to authorize or block traffic based on route metadata. ([source](https://docs.ockam.io/documentation/protocols/routing.md))

### DevOps & Infrastructure

- [Actor Worker Routing](https://awesome-repositories.com/f/devops-infrastructure/message-queue-workers/actor-worker-routing.md) — Directs communication between decoupled actor components using a registry to resolve addresses and relay messages. ([source](https://docs.ockam.io/documentation/libraries/rust/internals/nodes.md))
- [Persistent Worker State](https://awesome-repositories.com/f/devops-infrastructure/worker-context-access/state-aware-worker-execution/persistent-worker-state.md) — Runs lightweight concurrent actors within a node that maintain state and process asynchronous messages via dedicated mailboxes. ([source](https://docs.ockam.io/documentation/command/nodes.md))
- [Cloud Node Lifecycle Management](https://awesome-repositories.com/f/devops-infrastructure/cloud-node-lifecycle-management.md) — Creates and scales managed nodes in the cloud to host services and manage team permissions. ([source](https://docs.ockam.io/documentation/command/nodes.md))
- [Infrastructure-as-Code Node Deployments](https://awesome-repositories.com/f/devops-infrastructure/infrastructure-as-code-node-deployments.md) — Automates the creation and configuration of secure communication nodes using infrastructure-as-code templates. ([source](https://docs.ockam.io/documentation/command/guides.md))
- [Network Bridging](https://awesome-repositories.com/f/devops-infrastructure/remote-cluster-access/network-bridging.md) — Acts as a gateway between separate networks or transport protocols to enable communication between disconnected nodes. ([source](https://docs.ockam.io/documentation/protocols/routing.md))

### Networking & Communication

- [Legacy Application Tunneling](https://awesome-repositories.com/f/networking-communication/cloud-application-connectivity/legacy-application-tunneling.md) — Wraps unencrypted TCP traffic in secure channels to provide encryption and authentication without modifying application code.
- [Pluggable Transport Layers](https://awesome-repositories.com/f/networking-communication/communication-protocols-architectures/communication-protocols-standards/network-transport-layers/pluggable-transport-layers.md) — Moves messages between nodes using pluggable transport layers such as TCP, UDP, WebSockets, or Bluetooth. ([source](https://docs.ockam.io/documentation/libraries/rust/routing.md))
- [Layer 7 Traffic Routing](https://awesome-repositories.com/f/networking-communication/layer-7-traffic-routing.md) — Directs data between distributed machines at the application layer without requiring virtual IP overlays or shared subnets. ([source](https://docs.ockam.io/video-tutorials/lets-compare-ockam-to-a-vpn-reverse-proxy-and-publicly-addressable-api-endpoints..md))
- [Message Delivery Pipelines](https://awesome-repositories.com/f/networking-communication/message-delivery-pipelines.md) — Delivers messages between concurrent stateful actors running on a single instance or across remote network nodes. ([source](https://docs.ockam.io/documentation/libraries/rust/nodes.md))
- [Message Routing](https://awesome-repositories.com/f/networking-communication/message-routing.md) — Delivers messages between local or remote execution environments using standardized routing and transport protocols. ([source](https://docs.ockam.io/documentation/protocols/nodes.md))
- [Overlay Networks](https://awesome-repositories.com/f/networking-communication/overlay-networks.md) — Provides a network layer that routes encrypted traffic across diverse transports and multi-hop paths without virtual IP overlays.
- [Private Network Connectivity](https://awesome-repositories.com/f/networking-communication/private-networks/private-network-connectivity.md) — Bypasses firewalls and NATs by establishing outbound relays that allow secure communication with remote private networks.
- [Protocol-Agnostic Transport Layers](https://awesome-repositories.com/f/networking-communication/protocol-agnostic-transport-layers.md) — Moves routed messages across different physical or logical layers including TCP, UDP, WebSockets, and Bluetooth. ([source](https://docs.ockam.io/documentation/protocols/routing.md))
- [Traffic Routing](https://awesome-repositories.com/f/networking-communication/traffic-routing.md) — Directs data across a network of nodes using specialized routing protocols to reach specific endpoints. ([source](https://docs.ockam.io/video-tutorials/authentication-authorization-non-human-identity-and-more.md))
- [Multi-Hop Routing](https://awesome-repositories.com/f/networking-communication/traffic-routing/multi-hop-routing.md) — Directs messages through a sequence of intermediate nodes using metadata-driven routing to define the path.
- [Connectivity Abstraction Layers](https://awesome-repositories.com/f/networking-communication/connectivity-abstraction-layers.md) — Hides complex network layer configurations from developers to prevent security vulnerabilities and data leaks. ([source](https://docs.ockam.io/video-tutorials/introduction-to-networkless-connections.md))
- [Encrypted Network Relays](https://awesome-repositories.com/f/networking-communication/encrypted-network-relays.md) — Establishes outbound connections to intermediary nodes to bridge communication between private networks. ([source](https://docs.ockam.io/documentation/command/advanced-routing.md))
- [Network Bridging Relays](https://awesome-repositories.com/f/networking-communication/network-bridging-relays.md) — Establishes outbound connections to intermediary relay services to bridge isolated private network segments. ([source](https://docs.ockam.io/video-tutorials/the-trick-behind-ockams-magic...how-ockam-works..md))
- [Service Exposure](https://awesome-repositories.com/f/networking-communication/service-exposure.md) — Groups workers into named services with unique addresses to provide functionality to other nodes across the network. ([source](https://docs.ockam.io/documentation/command/nodes.md))
- [TCP Tunneling](https://awesome-repositories.com/f/networking-communication/tcp-protocol-implementations/tcp-tunneling.md) — Proxies raw TCP traffic by wrapping it in encrypted channels to secure legacy protocols without code changes.
- [Secure Tunnels](https://awesome-repositories.com/f/networking-communication/traffic-routing/secure-tunnels.md) — Establishes encrypted tunnels between external clients and private databases using inlet and outlet nodes. ([source](https://docs.ockam.io/documentation/command/guides/aws-marketplace/ockam-node-for-amazon-rds-postgres.md))

### Software Engineering & Architecture

- [Actor-Based Concurrency](https://awesome-repositories.com/f/software-engineering-architecture/actor-based-concurrency.md) — Implements a concurrency model using isolated stateful workers and message-passing actors.

### Part of an Awesome List

- [Rust Cryptography](https://awesome-repositories.com/f/awesome-lists/devtools/rust-cryptography.md) — Library for end-to-end encryption and mutual authentication.
- [Security And Privacy](https://awesome-repositories.com/f/awesome-lists/security/security-and-privacy.md) — Library for end-to-end encryption and authentication.
- [Security & Privacy](https://awesome-repositories.com/f/awesome-lists/security/security-privacy.md) — Suite for secure, private communication between devices.
