Skip to content
Portada » Enterprise License

Enterprise License

Enterprise licensing / commercial use

Hardware-backed security you actually control — at production scale.

Run pico-hsm, pico-fido and pico-openpgp in real environments, integrate them into your products, or deploy them as an internal service — without AGPLv3 disclosure obligations for your own integration code.

Who is it for?

  • Teams rolling out keys/tokens to 10–200+ users.
  • OEMs embedding the stack in products/appliances.
  • Orgs running an internal “HSM / Auth” service (VM/container/private cloud).
  • Regulated environments that need traceability, revocation, dual-control.

What you get

Base package (always included)

  • Commercial license (proprietary)
    Operate in production (including virtualized/private-cloud deployments) without AGPLv3 disclosure of your modifications/integration.
  • Production / multi-user permission
    Explicit right to run across multiple users, devices and teams.
  • Official signed builds
    Provenance and tamper-evidence for what you deploy.
  • Onboarding call
    Remote session to get you from “it builds” to “it’s running in our environment”.

Optional components (on demand)

  • Bulk / fleet provisioning
    CSV/Directory import, scripted enrollment, initial PIN flows, role-based access.
  • Policy & lifecycle tooling
    Corporate PIN policy, per-team access control, device inventory & traceability, revocation/offboarding.
  • Custom attestation / device identity / anti-cloning
    Your certificate chain & attestation keys so devices can prove: “I’m officially from <Your Company>”.
  • Virtualization / internal cloud deployment
    Run as a VM, container, or private service (“internal HSM/auth backend”) for multiple teams/tenants under your brand.
  • Hierarchical deterministic key derivation (HD)
    Wallet-style trees (BIP32-like concepts adapted to this platform) for per-user / per-tenant / per-purpose subkeys without exporting the root; ideal for firmware signing trees, tenant isolation, large fleets.
  • Post-quantum (PQC) credential handling
    Integration/roadmap support for PQC auth/signature algorithms and secure PQC key storage in device/service.
  • Cryptographically signed audit trail
    Tamper-evident logging of key usage, provisioning, PIN resets, revocations — for forensics/compliance.
  • Dual-control / two-person approval (“four-eyes”)
    Require multiple approvers for high-risk operations (firmware signing, key export, policy changes).
  • Secure key escrow / disaster recovery
    Split-secret or escrowed backup so you don’t lose critical signing capability if hardware/admins are lost.
  • Release-signing / supply-chain hardening
    Reference toolchain & process to ensure every production binary/firmware is hardware-signed with provenance.
  • Policy-locked hardened mode (“FIPS-style profile”)
    Restricted algorithms, debug disabled, no raw key export, tamper-evident configuration for high-assurance deployments.
  • Priority security-response SLA
    Direct line + guaranteed response window for production-impacting issues.
  • White-label demo / pre-sales bundle
    Branded demo firmware + safe onboarding script to show “your product” to customers without exposing real secrets.

Deployment models

  • Embedded: flash onto supported boards for devices/tokens at the edge.
  • Appliance/OEM: bundle into your hardware/software product.
  • Internal service: run as VM/container/private cloud for multiple internal teams/tenants.
  • Hybrid: mix physical tokens + service backends (e.g., issuance, audit, policy).

Licensing models & pricing

  • Internal Use License
    For production use within a single legal entity, including internal VM/container/private-cloud deployments. Includes the base package; optional components available on demand.
  • OEM / Redistribution / Service License
    For embedding into a product/appliance you ship to customers, or operating as a hosted/managed service for external clients. Includes the base package; optional components available on demand.
Do we have to open-source our internal integration?

No. The Enterprise license removes AGPLv3 disclosure obligations for your modifications/integration.

Can we run this as an internal service for multiple teams?

Yes. That’s a common Enterprise deployment (VM/container/private cloud).

Can we ship this inside our product?

Yes — that’s the OEM / Redistribution / Service license.

Do you support post-quantum algorithms?

We offer PQC handling as an optional component (on demand), including secure storage and integration guidance.

Can we get dual-control and audit logs for compliance?

Yes — both Dual-control and Signed audit trail are available as optional components.

What about disaster recovery if an admin leaves?

Use the Secure key escrow add-on (split-secret/escrowed backups).

Do you provide support SLAs?

A Priority security-response SLA is available as optional.

Contact

Email me! [email protected] — Subject: ENTERPRISE LICENSE <Your Company>
Include: company & country, intended use (Internal / OEM / Service), rough scale (devices/users/tenants), and any optional components you’re interested in.

About me

This is another project, as many I started.

Copyright