// the find
build-trust/ockam
Orchestrate end-to-end encryption, cryptographic identities, mutual authentication, and authorization policies between distributed applications – at massive scale.
Ockam is a developer toolkit for building mutually-authenticated, end-to-end encrypted channels between distributed services — think of it as TLS done right for service-to-service communication, without needing to manage PKI or rely on network perimeter security. It's aimed at engineers who need to connect services across clouds, VPCs, or NAT boundaries without punching firewall holes or trusting the network between them. The core is Rust with Elixir and (apparently) Python bindings.
The cryptographic design is solid — they use the Noise protocol framework (XX handshake) for key establishment and AEAD-AES-GCM for transport encryption, both well-vetted choices. The 'portal' abstraction (inlet/outlet TCP tunnels) is genuinely useful: you can make a remote TCP service appear local without VPN or port forwarding, and the encryption is transparent to the application. Identity and credential handling is baked in as a first-class primitive, not bolted on — you can attach ABAC-style policies to connections at the routing layer. The Elixir implementation is a real implementation, not a wrapper, which means Elixir/BEAM users get actor-model concurrency properties for free in their secure channels.
The README is nearly empty — a curl-to-bash install script and a license link, nothing else. For a security-critical library, that's a red flag: you can't evaluate what you can't read. The project has a managed cloud 'Ockam Orchestrator' that the CLI tools lean on for relay nodes, which means the 'no network perimeter' pitch quietly assumes you're routing through their infrastructure for NAT traversal — self-hosting the relay (the Ockam Node) is possible but not front-and-center in documentation. Stars are modest (4.6k) for the scope of what they're claiming, which suggests adoption hasn't matched ambition. Last push was January 2026 but activity looks like it trails off — worth checking whether the company behind this is still actively investing.