The Red Hat Ecosystem Catalog is the official source for discovering and learning more about the Red Hat Ecosystem of both Red Hat and certified third-party products and services.
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

enclaive vHSM (Virtual Hardware Security Module) is a software-based security solution.
The enclaive vHSM is a software-defined Hardware Security Module built on Confidential Computing. It executes cryptographic operations — key generation, storage, signing, and secret management inside hardware-isolated Trusted Execution Environments (TEEs), protecting data at rest, in transit, and in use (3D encryption). Cloud-native and vendor-agnostic, it deploys across any multi-cloud, edge, or on-premises environment without lock-in. It consists of two modules: enclaive Vault for cross-cloud key and secrets management (HYOK/BYOK); and enclaive Nitride for workload identity and remote attestation, ensuring only cryptographically verified workloads access protected resources. Trust is hardware-proven, not assumed.
Unlike software-only key managers, the enclaive vHSM executes all cryptographic operations inside hardware-isolated Trusted Execution Environments (TEEs). Keys never leave the encrypted enclave, inaccessible to the cloud provider, hypervisor, or any privileged operator. This delivers true Data-in-Use protection (3D encryption) that no traditional KMS can match.
Before any workload accesses keys or secrets, enclaive Nitride cryptographically verifies its identity and integrity via remote attestation. Only unmodified, approved workloads receive access. Any tampering (at boot, runtime, or supply-chain level) is detected and blocked automatically, with a signed audit trail.
The enclaive vHSM is infrastructure-agnostic, deployable on AMD, Intel, ARM, or NVIDIA processors across any major cloud, edge, or on-premises environment. No vendor lock-in, no hardware dependency. The same security posture and policies apply consistently across geographically distributed multi-cloud architectures.
For organisations requiring a hardware root of trust, the vHSM integrates seamlessly with physical HSMs via PKCS#11, combining hardware security with cloud-native agility. This bridges legacy HSM infrastructure and modern cloud deployments without replacing existing investments.
The vHSM supports classical (RSA, ECC, AES) and Post-Quantum Cryptography (PQC) algorithms, adapting to evolving standards without re-architecting. Failed instances self-heal automatically, replaced within the cluster with encrypted storage redundantly replicated and re-sealed, ensuring continuous availability across clouds and data centres.
Red Hat certified products are tested to meet Red Hat’s criteria and supported as defined in the Red Hat Collaborative Support Process.
Partner validated products are tested by Red Hat Partners and supported as defined in the Red Hat Third Party Component Policy.
Red Hat OpenShift 4.7+
A virtual HSM combines enclaive Vault key, identity and access management with Nitride workload identity access management in a single service with hardware graded security and confidential buckypaper virtualization tailored to the private, hybrid multi-cloud settings.
Buckypaper Virtualization
In the cloud context, the atomic execution environment is considered to be a Virtual Machine (VM). A VM is an isolated, self-contained environment that provides the abstraction of a full-fledged physical machine. It runs on top of a hypervisor, which virtualizes the underlying hardware resources. VMs offer strong isolation, as each VM has its own operating system, file system, and network stack. This makes them an atomic unit of execution because they encapsulate everything needed for an application to run, independent of other VMs on the same physical server.
Buckypaper VMs shield the workload in an execution environment and ensure both confidentiality and integrity of the execution. This means that at all times, the data and code must remain encrypted and safeguarded from unauthorized modifications, whether in memory, on a storage volume, or during network communication. The service can only be fully protected from threats if these measures are consistently applied throughout the entire lifecycle of key management, identity management, and access control.
Deploying cloud-native applications introduces new challenges in key, identity, and access management, as well as key protection mechanisms such as Hardware Security Modules and Bring Your Own Key. These challenges become particularly pronounced in multi-cloud environments, where traditional solutions often fall short.
Some of the key problems include:
Single Point of Trust: Single Point of Trust: Organizations must ultimately trust the cloud service provider (CSP) to securely manage their keys and identity systems in a "take-it-or-leave-it" approach. This trust extends to the CSP’s internal personnel, including engineers, DevOps, and DevSecOps teams, who may have access to these systems. As a result, organizations must accept the potential risks associated with having multiple, often unknown, individuals who might gain access to their sensitive data and services.
Single Point of Attack: CSPs handle a vast number of clients, making them attractive targets for attacks, espionage, or compromise. In the past, targeting individual businesses required substantial effort and resources, but with the shift to cloud services, the economics of attacks have changed. Once attackers find vulnerabilities in a CSP's infrastructure, they can potentially gain access to multiple organizations at once.
Single Point of Ecosystem: CSPs promote their extensive portfolios of managed services, creating a comprehensive ecosystem that often leads to vendor lock-in. As organizations increasingly adopt cloud solutions, they risk becoming overly dependent on a specific provider's proprietary tools, APIs, and architectures. This dependency makes it difficult and costly to switch to other cloud platforms, limiting operational flexibility and long-term competitiveness.
In today's rapidly evolving digital landscape, securing sensitive data and controlling access to critical systems are top priorities for organizations of all sizes. Key, Identity, and Access Management (e.g. Azure Entra ID, Google Cloud KMS) forms the cornerstone of cybersecurity strategies, ensuring that the right individuals and systems have appropriate access to resources, while unauthorized users are kept at bay. Effective IAM practices are crucial for maintaining the confidentiality, integrity, and availability of data across distributed environments, such as cloud services, on-premise infrastructures, and hybrid models.
At the core of Identity and Access Management (IAM) is the ability to verify and authenticate users, assign roles and permissions, and manage user identities throughout their lifecycle. By combining IAM with strong key management practices and leveraging tools like HSMs and BYOK, organizations can build a robust security framework that ensures secure access to systems and data, reduces the risk of unauthorized access, and simplifies the enforcement of regulatory compliance.
Central to IAM is the concept of key management, which involves generating, distributing, storing, and rotating cryptographic keys that safeguard data. Proper key management ensures that encryption keys are protected against unauthorized access, preventing data breaches and unauthorized decryption of sensitive information. The loss or compromise of a key can lead to devastating consequences, making it essential for organizations to implement stringent key management practices.