stfJan 23

#Klutshnik v0.4.1 is out.

Klutshnik is a Key Mgmnt Service 4 data-at-rest. Keys r stored in a threshold setup& r never reconstructed only used in operations that hide their values. These keys r cheaply&securely updatable without reencrypting the encrypted data, providing forward-secrecy&post-compromise security. Klutshnik servers can use TLS, USB or BLE.

https://github.com/stef/klutshnik/releases/tag/v0.4.1
https://github.com/stef/klutshnik-zephyr/releases/tag/v0.4.1

check the updated site: https://klutshnik.info

#crypto previously funded by #ngi0 #nlnet

stfOct 29
pretty cool, i just created a #klutshnik 3-out-of-5 setup with an rp2350, teensy40, teensy41, xiao_esp32s3 and a generic tcp-based server, and my test script runs through successfully. getting there i found a bunch of gotchas that i polished away. so, yay \o/
stfOct 25
new #klutshnik website dropped a few days ago, but it described a few - back then - vaporware things, which are all real now. if you ever wondered wtf this #klutshnik thing is, but were to busy to watch a video, or read an academic paper, here is a website, you'll be to busy to read: https://klutshnik.info/
Klutshnik Key-Management System

stfOct 24
submitted a #talk about practical threshold OPRF deployments (#klutshnik & #sphinx, and maybe a little opaque) to #39c3 - let's see if it gets admitted.
stfOct 15
next milestone on the #klutshnik ride is to setup a system with each of those supported embedded controllers, 1-2 rpi images (see https://github.com/stef/klutshnik/tree/master/images/klutshnik-sbox-rpi) and 1-2 of the native zig servers somewhere online, and run the test suite against this heterogeneous setup.
klutshnik/images/klutshnik-sbox-rpi at master · stef/klutshnik

data-at-rest updatable threshold encryption KMS server and client - stef/klutshnik

GitHub
stfOct 15

yippie-kee-yay! just added teensy4.0 support to #klutshnik #zephyr - the 4.0 is smaller and cheaper than the 4.1 but comes with the same powerful cortex-m7 mcu. with this change klutshnik now runs on 4 different embedded systems: xiao_esp32s3, rpi pico2 (w) and the teensy4.1 and teensy4.0. \o/

also rewrote the provisioning interface which is now a proper shell on usb cdc-acm.

check it out on #radicle
rad:z2EBBi4vui98QV8Mk8DT3c25yZbJ4

or on the ms-trap: https://github.com/stef/klutshnik-zephyr

GitHub - stef/klutshnik-zephyr: port of klutshnik to zephyrOS

port of klutshnik to zephyrOS. Contribute to stef/klutshnik-zephyr development by creating an account on GitHub.

GitHub
stfSep 22, 2025

wooohooo, just released v0.3.0 of #klutshnik. the client now supports connections to servers over USB serial, and there is now support for aarch64 #raspberrypi images. check it out: https://github.com/stef/klutshnik/releases/tag/v0.3.0

the rpi image builder: https://github.com/stef/klutshnik/tree/master/images/klutshnik-sbox-rpi

the rpi images come with a very reduced attack surface, providing excellent physical isolation, and also further hardening using seccomp bpf rules for klutshnik.

Release Minor release · stef/klutshnik

This release adds: support for USB serial connections from the client, support for pre-installed images for raspberry pi 3+ various fixes.

GitHub
stfAug 20, 2025
woohoo, got #klutshnik running on a teensy over usb!
stfJun 23, 2025
wooohooo, #klutshnik end-to-end tests successfully run with a peer on a xiao esp32s3 over BLE using zephyr!
stfJun 16, 2025

\o/ i just did a 5-way DKG with one of the "servers" being a xiao esp32s3 over bluetooth LE! \m/

i'm porting #klutshnik to #zephyr it's not very quick, takes a few seconds, but this is creating of a key. decrypting should be much quicker. also i expect this to be faster when done over usb. this is an early PoC, loads of features missing before it can be deployed in production.