sovra

module

v0.0.0-...-104485b Latest Latest Go to latest Published: Feb 9, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/witlox/sovra

Links

Open Source Insights

README ¶

Sovra

Federated Sovereign Key Management for Critical Infrastructure

Sovra is an open source federated control plane for managing cryptographic keys across distributed infrastructure. Organizations deploy independent Sovra instances that communicate securely to enable cross-organizational data sharing while maintaining cryptographic sovereignty.

Built for: Research institutions, Government and Military.

Features

Federated Architecture - Peer-to-peer control planes
Cryptographic Sovereignty - Customer-controlled root keys
Cross-Domain Sharing - Multi-organization collaboration
Cloud-Agnostic - Deploy anywhere
Air-Gap Capable - SECRET classification support
Policy-Driven - OPA-based access control

Installation

Using Docker (Recommended)

# Pull the latest image
docker pull ghcr.io/witlox/sovra:latest

# Run a specific service
docker run -d --name sovra-api ghcr.io/witlox/sovra:latest /app/api-gateway

Download Pre-built Binaries

Download the latest release for your platform from GitHub Releases.

# Note that this may not be the latest version, docs are more static than build!

# Linux (amd64)
curl -LO https://github.com/witlox/sovra/releases/download/2026.3.71/sovra_2026.3.71_linux_amd64.tar.gz
tar xzf sovra_2026.3.71_linux_amd64.tar.gz

# macOS (arm64)
curl -LO https://github.com/witlox/sovra/releases/download/2026.3.71/sovra_2026.3.71_darwin_arm64.tar.gz
tar xzf sovra_2026.3.71_darwin_arm64.tar.gz

# Add to PATH
sudo mv sovra /usr/local/bin/sovra-cli

Build from Source

git clone https://github.com/witlox/sovra.git
cd sovra
make

Quick Start

# Deploy control plane
kubectl apply -k infrastructure/kubernetes/base

# Initialize
./scripts/init-control-plane.sh

# Connect edge node
sovra-cli edge-node register --control-plane https://sovra.example.org

# Federate with partner
sovra-cli federation establish --partner https://partner.example.org

Architecture

Organization A                Organization B
┌──────────────────┐          ┌──────────────────┐
│ Sovra Control    │◄─mTLS───►│ Sovra Control    │
│ ├─ Policy (OPA)  │          │ ├─ Policy (OPA)  │
│ ├─ Lifecycle     │          │ ├─ Lifecycle     │
│ └─ Audit         │          │ └─ Audit         │
└────┬─────────────┘          └────┬─────────────┘
     │ mTLS                        │ mTLS
┌────▼─────────────┐          ┌────▼─────────────┐
│ Edge (Vault)     │          │ Edge (Vault)     │
└──────────────────┘          └──────────────────┘

See ARCHITECTURE.md

Documentation

See Github Pages

Technology

Services: Go 1.22+
Database: PostgreSQL 15+
Secrets: HashiCorp Vault 1.16+
Policy: OPA 0.61+
Networking: mTLS

Community

GitHub Issues: Bug reports
GitHub Discussions: Questions

See CONTRIBUTING.md

License

Apache-2.0 - See LICENSE

Open Source | Community Driven | Digital Sovereignty

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
api-gateway command Package main implements the Sovra API Gateway service.	Package main implements the Sovra API Gateway service.
audit-service command Package main implements the Sovra Audit Service.	Package main implements the Sovra Audit Service.
federation-manager command Package main implements the Sovra Federation Manager service.	Package main implements the Sovra Federation Manager service.
key-lifecycle command Package main implements the Sovra Key Lifecycle service.	Package main implements the Sovra Key Lifecycle service.
policy-engine command Package main implements the Sovra Policy Engine service.	Package main implements the Sovra Policy Engine service.
sovra-cli command Package main implements the sovra-cli command-line tool.	Package main implements the sovra-cli command-line tool.
internal
api Package api handles API gateway functionality.	Package api handles API gateway functionality.
audit Package audit handles immutable audit logging.	Package audit handles immutable audit logging.
auth Package auth provides unified authentication and authorization for Sovra.	Package auth provides unified authentication and authorization for Sovra.
auth/authz Package authz provides OPA-based authorization.	Package authz provides OPA-based authorization.
auth/jwt Package jwt provides JWT token authentication using standard libraries.	Package jwt provides JWT token authentication using standard libraries.
auth/mtls Package mtls provides mTLS client certificate authentication.	Package mtls provides mTLS client certificate authentication.
auth/oidc Package oidc provides OpenID Connect authentication.	Package oidc provides OpenID Connect authentication.
config Package config handles configuration loading from environment and files.	Package config handles configuration loading from environment and files.
crk Package crk implements Customer Root Key management using Shamir Secret Sharing.	Package crk implements Customer Root Key management using Shamir Secret Sharing.
edge Package edge handles edge node (Vault cluster) operations.	Package edge handles edge node (Vault cluster) operations.
federation Package federation handles cross-organization communication and trust.	Package federation handles cross-organization communication and trust.
identity Package identity provides emergency access and account recovery functionality.	Package identity provides emergency access and account recovery functionality.
policy Package policy handles OPA-based access control.	Package policy handles OPA-based access control.
workspace Package workspace handles shared cryptographic domains for multi-organization data sharing.	Package workspace handles shared cryptographic domains for multi-organization data sharing.
pkg
client Package client provides an HTTP client for the Sovra API.	Package client provides an HTTP client for the Sovra API.
errors Package errors defines custom error types for Sovra.	Package errors defines custom error types for Sovra.
metrics Package metrics provides Prometheus metrics instrumentation for Sovra services.	Package metrics provides Prometheus metrics instrumentation for Sovra services.
models Package models defines the core domain types for Sovra.	Package models defines the core domain types for Sovra.
opa Package opa provides a client for interacting with Open Policy Agent servers.	Package opa provides a client for interacting with Open Policy Agent servers.
postgres Package postgres provides PostgreSQL repository implementations.	Package postgres provides PostgreSQL repository implementations.
telemetry Package telemetry provides OpenTelemetry tracing for Sovra services.	Package telemetry provides OpenTelemetry tracing for Sovra services.
vault Package vault provides authentication backend configuration for HashiCorp Vault.	Package vault provides authentication backend configuration for HashiCorp Vault.
tests
integration Package integration provides integration test infrastructure.	Package integration provides integration test infrastructure.
mocks Package mocks provides shared mock implementations for testing.	Package mocks provides shared mock implementations for testing.
testutil Package testutil provides test utilities and helpers.	Package testutil provides test utilities and helpers.
testutil/inmemory Package inmemory provides in-memory implementations for testing.	Package inmemory provides in-memory implementations for testing.