Open Source Go Cryptography Software

kcptun is a stable and secure tunnel based on KCP with N:M multiplexing and FEC. Available for ARM, MIPS, 386 and AMD64. kcptun is shipped with builtin packet encryption powered by various block encryption algorithms and works in Cipher Feedback Mode, for each packet to be sent, the encryption process will start from encrypting a nonce from the system entropy, so encryption to same plaintexts never leads to a same ciphertexts thereafter. kcptun made use of ReedSolomon-Codes to recover lost packets, which requires massive amount of computation, a low-end ARM device cannot satisfy kcptun well. To unleash the full potential of kcptun, a multi-core x86 homeserver CPU like AMD Opteron is recommended. If you insist on running under some ARM routers, you'd better turn off FEC and use salsa20 as the encryption method.

trillian is a transparent, cryptographically verifiable data store built on Merkle trees that provides append-only logs and verifiable key–value maps. It separates a storage layer from a verifiability layer, letting applications prove inclusion, consistency, and non-existence through compact cryptographic proofs. The system is designed for horizontal scale with gRPC APIs, enabling multiple frontends and sequencers to operate over a shared backend. Common use cases include certificate transparency, package registries, and audit logs where public verifiability or tamper evidence is required. Trillian exposes both “log” and “map” primitives so developers can choose between append-only timelines or verifiable dictionaries depending on their data model. By making verification independent of trust in the operator, trillian helps build systems that are auditable by external parties.

yubikey-agent is a seamless SSH agent specifically built for secure hardware tokens such as YubiKey (and other PIV tokens). It aims to replace the standard SSH agent with a version tailored for these security devices; the key is generated on the hardware token (so it can’t be extracted), every session requires a PIN and a physical touch, and the agent is resilient to unplugging, sleep/suspend, and restarts. Setup is simple, one command and one environment variable, and then the agent just runs in the background. Because it uses pure Go and leverages libraries like go-piv/piv-go and golang.org/x/crypto/ssh, it works across platforms and integrates cleanly into SSH workflows. For developers or administrators who prioritize hardware-based SSH key security, this tool lowers the friction of using secure tokens in day-to-day SSH workflows. It also supports modern best practices in SSH authentication and brings stronger guarantees of key security in a user-friendly interface.