End-to-end secure data storage, processing, and sharing framework with zero trust to storage/exchange infrastructure.
What is Hermes
Hermes — cryptographic framework for building multi-user end-to-end encrypted data storage and sharing/processing with zero leakage risks from storage and transport infrastructure (so called end-to-end encrypted zero knowledge architectures).
Hermes acts as a protected data circulation layer with cryptographic access control for your distributed application, with zero security risk of data exposure from servers and storage.
Hermes allows deploying end-to-end encrypted data exchange, sharing, and collaboration in your apps. Hermes is platform-agnostic: it works for mobile, web, or server applications storing data in any database/datastore.
What is Hermes-core
Hermes is a proprietary framework licensed by Cossack Labs.
Hermes-core is an open source (AGPL 3.0) repository for developers and security community that illustrates proof of concept of Hermes, which should be used for studying and verification of the methodology and cryptographic backend. Hermes-core is not a production version of Hermes but more of a sneak peek of its core layer.
Drop us an email to firstname.lastname@example.org if you are interested in commercial license or support.
|Client apps are responsible for data encryption and access control through using Hermes, while the server-side knows nothing about the nature of data.|
|Hermes imposes no limitations on data structure and database choice.|
|The ACL in Hermes relies completely on cryptography, where trust is bound to client’s keys. As long as the keys are safe – the system is safe.|
|With a solid security foundation on the data layer, building other security controls gets easier, the risk model becomes precise, and the overall security cost goes down considerably.|
|Hermes provides a foundation layer of data protection, Hermes is fully compatible with the following layers of security controls: TLS, firewalls, WAFs, SIEM, IDS, etc.|
|available for enterprise customers in a separate license.|
Use cases and industries
|Perfect Hermes-compatible applications and industries|
|Healthcare||Share FHIR and other medical records safely and distribute granular access to personnel in a secure way. Cut HIPAA costs by pushing many security controls to the encryption layer.|
|Finance||Store and process customer payment data securely, minimise insider threats and enable secure, accountable cross-organisation data exchange.|
|Enterprise||Protect commercially sensitive data and enforce access control, integrate with existing PKI and IAM stack, enforce group policies and efficient key/storage management – while keeping the data end-to-end encrypted.|
|B2C: Customer apps||Instill greater trust in your product by implementing end-to-end encryption of customer data. It’s not only E2EE messengers that deserve the right to use user trust as competitive advantage.|
Hermes operates with data that is subdivided into records that represent the hierarchy of recordsets and groups of recordsets. Each blob of data is encrypted using a symmetric key, from which a set of hashes is generated. Possession of a symmetric key by a user allows reading and carrying out other processes on hashes (including with writing data).
a document equals
a block and is not subdivided further as it is a basic building block for the hierarchic infrastructure of Hermes.
There are 3 storage entities in Hermes (and, consequently, in Hermes-core) that constitute the Server side:
- Data store contains the hierarchy of encrypted objects.
- Credential store stores keys and hashes, asymmetrically encrypted in such a way that can only be decrypted by authorised user’s private key. Those can contain access control key which grants READ access and Update Tag which allows performing WRITE operations.
- Keystore contains the symmetric keys (for READ and UPDATE), with as many copies of these keys as there are users authorised to access to the record, where every copy is wrapped (asymmetrically encrypted) with a public credential of the respective authorised user. If the permissions to READ and to WRITE extend to not just blocks, but to the list of blocks, they turn into permissions to DELETE/ADD elements.
The 4th entity of Hermes is Client:
- Client (or clients) is the active entity in the Hermes architecture, the one that actually produces or consumes the data. Client only possesses the keypair that allows decrypting the asymmetrically encrypted data from the Server. The READ permissions are always checked on Client. The absence of the key for performing READ operations will not allow Client to decrypt the downloaded piece of data. The WRITE permissions are checked both on Client and Server so they cannot “fool” each other.
Documentation and papers
Cossack Labs Documentation Server's section on Hermes contains the ever-evolving official documentation, with everything from deployment guidelines to use-cases, including charts and tutorials you might find useful.
Ever-evolving Implementing Hermes-based Security Systems document describes the details of implementing Hermes-based systems in the real world.
The scientific paper "Hermes – a framework for cryptographically assured access control and data security" explains the concept behind Hermes, math model, risk & threats analysis and provides implementation details. Useful for security engineers and cryptographers.
You can build Hermes-core manually from source or install it from the available package manager.
If you are running Ubuntu, Debian or CentOS, check Installing from repository page.
If you want to have the latest version of Hermes-core, you can build it from sources: Building Hermes core.
Hermes-core is available on C, however, client side applications are implemented on C, Python and Go:
|C core / C client||Local CLI tutorial||docs/examples/c/mid_hermes_low_level|
|C core / C client||C tutorial||docs/examples/c|
|C core / Python client||Python tutorial||docs/examples/python|
|C core / Go client||Go tutorial||docs/examples/go|
Moreover, Hermes natively supports:
|Server side||Client side (language)|
|Docker, VMs, GCP, AWS,
Ubuntu, Debian, CentOS, macOS
|iOS, Android, Java, Ruby, PHP,
Python, Node.js, Go, Rust, C/C++
Hermes itself supports the following architectures: x86/x64, armv*, various Android architectures:
- Debian (8, 9), CentOS 7, Ubuntu (14.04, 16.04, 18.04),
- macOS (10.12 - 10.15, 11),
- Android (4 - 12) / CyanogenMod 11+,
- iOS (10 - 15),
- Docker-containers, VMs.
Hermes-core has limited support, only x86/x64 platforms.
Examples and tutorials
Consider checking full tutorials to understand how to add and update blocks, grant READ and UPDATE access rights to users, revoke access rights.
- Usage examples describe how examples work and what are the possible usages for Hermes-core.
- C tutorial, where both Hermes and client app are written in C.
- Python tutorial, where the Hermes app is C-based, but client code runs on Python.
- Go tutorial, where Hermes app is C-based, but client code runs on Go.
GDPR, HIPAA, CCPA
Hermes can help you reach better compliance with the current privacy regulations, such as:
- General Data Protection Regulation (GDPR)
- HIPAA (Health Insurance Portability and Accountability Act)
- DPA (Data Protection Act)
- CCPA (California Consumer Privacy Act)
Configuring and using Hermes in a designated form will cover most of the demands described in articles 25, 32, 33, and 34 of GDPR and the PII data protection demands of HIPAA, allowing you to cut the costs by pushing the security controls to the cryptography layer.
Licensing and commercial support
Hermes-core license is GNU Affero General Public License v3.0.
There is a separate, commercial licensed Hermes version for industrial use (its core crypto code is similar to this repository, yet it holds additional convenience interfaces and services). Commercial license can include custom cryptographic engineering (building cryptographic scheme based on Hermes for your use-case) and engineering support.
Drop us an email to email@example.com if you are interested.
To talk to the business wing of Cossack Labs Limited, drop us an email to firstname.lastname@example.org.