# Crypto compliance

Profiles
- world (default), fips, gost, sm, kcmvp, eidas, pq (software only).
- Each profile selects hash and signing algorithms by purpose.
- Profiles are mutually exclusive per deployment.

Profile selection
- Crypto:ProfileId in config or STELLAOPS_CRYPTO_PROFILE environment variable.

Algorithm mapping highlights
- Graph hashing uses BLAKE3 only in world profile; others use SHA-256 or regional hashes.
- Interop hashes and webhook HMACs always use SHA-256 for external compatibility.
- Password hashing uses Argon2id by default; PBKDF2-SHA256 is used for FIPS profile.

Provider gating
- Software providers are allow-listed and flagged non-certified until hardware modules are attached.
- Regional profiles (gost, sm, kcmvp, eidas) require explicit enablement gates.
- PQ profile uses software primitives only; certified PQ hardware is not assumed.

Distribution and licensing notes
- GOST support is distributed in a separate RootPack_RU variant.
- CryptoPro CSP is customer-provided and not redistributed by StellaOps.
- Operators must accept vendor EULAs and provide licensed binaries when required.

Export control posture
- Default distributions ship with widely available algorithms.
- Regional algorithms are opt-in and documented as customer responsibility.

Related references
- docs/security/crypto-compliance.md
- docs/legal/crypto-compliance-review.md
- docs/security/crypto-profile-configuration.md