# Crypto Profile Configuration ยท 2025-12-11 How to pick regional crypto profiles, choose between free/paid providers, and enable simulations while hardware or licenses are pending. ## Quick selectors - Compliance profile (hash/sign policy): `STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=world|fips|gost|sm|kcmvp|eidas` (or config `Crypto:Compliance:ProfileId`). - Registry ordering: set `StellaOps:Crypto:Registry:ActiveProfile` (env: `STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE`) and `PreferredProviders`. - Simulation toggle: `STELLAOPS_CRYPTO_ENABLE_SIM=1` (adds `sim.crypto.remote` to the registry); `STELLAOPS_CRYPTO_SIM_URL=http://host:8080` if the simulator runs remotely. ## Step-by-step: pick a region 1) Choose the compliance profile ID and set `STELLAOPS_CRYPTO_COMPLIANCE_PROFILE`. 2) Set `StellaOps:Crypto:Registry:ActiveProfile` to the region (see table below) and order the `PreferredProviders`. 3) Decide on provider type: - Free/OSS: OpenSSL GOST (RU), SM soft, PQ soft, FIPS/eIDAS/KCMVP soft baselines. - Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available. See `docs/legal/crypto-compliance-review.md` for licensing/export notes. - Simulation: enable `STELLAOPS_CRYPTO_ENABLE_SIM=1` and point `STELLAOPS_CRYPTO_SIM_URL` to `sim-crypto-service`. 4) Apply any provider-specific env (e.g., `CRYPTOPRO_ACCEPT_EULA=1`, `SM_SOFT_ALLOWED=1`, `PQ_SOFT_ALLOWED=1`, PKCS#11 PINs). 5) Capture evidence: JWKS export + `CryptoProviderMetrics` + fixed-message sign/verify logs. 6) If you only need a smoke check without full tests, run `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` against a running simulator (see `SIM_PROFILE`/`SIM_ALGORITHMS` below). ## Choosing a region | Region | Compliance profile | Registry profile / providers | Free vs paid | Simulation | | --- | --- | --- | --- | --- | | RU (OSS) | `gost` | `ActiveProfile: ru-offline`; providers: `ru.openssl.gost`, `ru.pkcs11` | Free (OpenSSL) path on Linux. Optional remote signer: set `STELLAOPS_RU_OPENSSL_REMOTE_URL=http://host:9090` (see `docs/security/openssl-gost-remote.md`). | `STELLAOPS_CRYPTO_ENABLE_SIM=1`; sim covers GOST12 + Magma/Kuznyechik when hardware/licensing is unavailable. | | RU (CryptoPro paid) | `gost` | Same profile; ensure `ru.cryptopro.csp` registered. | Linux-only CSP service: bind customer `.deb` packages to `/opt/cryptopro/downloads`, set `CRYPTOPRO_ACCEPT_EULA=1`, run `ops/cryptopro/linux-csp-service`. Licensing model documented in `docs/legal/crypto-compliance-review.md`. | Use simulator until licenses are supplied. | | CN (SM) | `sm` | `ActiveProfile: sm`; providers: `cn.sm.soft` (env `SM_SOFT_ALLOWED=1`), optional PKCS#11. | Hardware/PKCS#11 wiring in `docs/security/sm-hardware-simulation.md`. | `sim-crypto-service` handles `SM2` (`sim.crypto.remote`). | | FIPS (US) | `fips` | Providers: `fips.ecdsa.soft` (env `FIPS_SOFT_ALLOWED`), KMS/OpenSSL FIPS when available. | Certified module runbook: `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator covers `ES256/384/512` (`sim.crypto.remote`). | | eIDAS (EU) | `eidas` | Providers: `eu.eidas.soft` (env `EIDAS_SOFT_ALLOWED`). | QSCD bring-up in `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator (`sim.crypto.remote`) until QSCD arrives. | | KCMVP (KR) | `kcmvp` | Providers: `kr.kcmvp.hash` (env `KCMVP_HASH_ALLOWED=1`), future KCDSA/ARIA/SEED module. | Hardware flow in `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator (`sim.crypto.remote`) while awaiting certified module. | | PQ addenda | (overlay) | Enable via `PQ_SOFT_ALLOWED=1`; provider `pq.soft`. | Uses liboqs/BouncyCastle soft providers. | Simulator available via `sim.crypto.remote` if you want a remote signer. | ## Sample config (appsettings.json) ```json { "StellaOps": { "Crypto": { "Registry": { "ActiveProfile": "ru-offline", "PreferredProviders": [ "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ] }, "Sim": { "BaseAddress": "http://localhost:8080" } }, "Compliance": { "ProfileId": "gost", "StrictValidation": true } } } ``` ## Licensing and hardware notes - CryptoPro: customer-provided `.deb` packages, Linux only. Accept EULA via `CRYPTOPRO_ACCEPT_EULA=1`; service wrapper at `ops/cryptopro/linux-csp-service`. Licensing/export posture is in `docs/legal/crypto-compliance-review.md`. - SM hardware: bring-up and PKCS#11 wiring in `docs/security/sm-hardware-simulation.md`. - FIPS/eIDAS/KCMVP hardware/QSCD: runbook in `docs/security/fips-eidas-kcmvp-validation.md`. - OpenSSL GOST remote signer (OSS baseline) in `docs/security/openssl-gost-remote.md`. ## Simulation guidance - Default simulator: `ops/crypto/sim-crypto-service` + provider `sim.crypto.remote` (see `docs/security/crypto-simulation-services.md`). - Use the simulator to close sprints until certified evidence is available; keep "non-certified" labels in RootPack manifests. - Quick simulation steps: 1) `docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service` 2) `docker run --rm -p 8080:8080 sim-crypto` 3) Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080` 4) Keep `sim.crypto.remote` first in `PreferredProviders` for the target profile. 5) Optional smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release` with `SIM_PROFILE=ru-free|ru-paid|sm|eidas|fips|kcmvp|pq` and optional `SIM_MESSAGE`/`SIM_ALGORITHMS`. ## Evidence expectations - JWKS export from Authority/Signer for the active profile. - `CryptoProviderMetrics` showing the chosen provider ID (oss, paid, or sim). - Fixed-message signing/verification logs (`stellaops-crypto-profile-check`) for audit trails.