Botan (Japanese for peony flower) is a cryptography library released under the permissive Simplified BSD license.
Botan's goal is to be the best option for production cryptography by offering the tools necessary to implement a range of practical systems, such as TLSv1.3, X.509 PKI, modern AEAD ciphers, support for PKCS#11 and TPM hardware, memory-hard password hashing, and post quantum cryptography. All of this is covered by an extensive test suite, including an automated system for detecting side channels.
It comes out of the box with C++, C, and Python APIs, and several other language bindings are available. The library is accompanied by a featureful command line interface. Consult the documentation for more information.
Development is coordinated on GitHub and contributions are welcome. If you need help, please open an issue on GitHub. If you think you have found a security issue, see the security page for contact information.
All releases are signed with a PGP key. See the release notes for what's new.
Botan is also available through most distributions such as Fedora, Debian, Arch and Homebrew.
New minor releases of Botan3 are made quarterly, normally on the first Tuesday of February, May, August, and November.
The latest release from the Botan3 release series is 3.6.1 (sig), released on 2024-10-26.
Botan2 has, as of 2025-1-1, reached end of life. No further releases are expected.
The latest release from the Botan2 release series is 2.19.5 (sig), released on 2024-07-08.
- TLS v1.2/v1.3, and DTLS v1.2
- Supported extensions include session tickets, SNI, ALPN, OCSP stapling, encrypt-then-mac CBC, and extended master secret.
- Supports authentication using certificates or preshared keys (PSK)
- Supports record encryption with modern AEAD modes as well as legacy CBC ciphersuites.
- TLS 1.3 supports hybrid post-quantum key exchange using ML-KEM or FrodoKEM
- X.509v3 certificates and CRL creation and handling
- PKIX certificate path validation, including name constraints
- OCSP request creation and response handling
- PKCS #10 certificate request generation and processing
- Access to Windows, macOS and Unix system certificate stores
- SQL database backed certificate store
- RSA signatures and encryption
- DH, ECDH, X25519 and X448 key agreement
- Signature schemes ECDSA, DSA, Ed25519, Ed448, ECGDSA, ECKCDSA, SM2, GOST 34.10
- Post-quantum signature schemes ML-DSA (Dilithium), SLH-DSA (SPHINCS+), HSS/LMS, XMSS
- Post-quantum key encapsulation schemes ML-KEM (Kyber), FrodoKEM, Classic McEliece
- ElGamal encryption
- Padding schemes OAEP, PSS, PKCS #1 v1.5, X9.31
- Authenticated cipher modes EAX, OCB, GCM, SIV, CCM, (X)ChaCha20Poly1305
- Cipher modes CTR, CBC, XTS, CFB, OFB
- Block ciphers AES, ARIA, Blowfish, Camellia, CAST-128, DES/3DES, IDEA, SEED, Serpent, SHACAL2, SM4, Threefish-512, Twofish
- Stream ciphers (X)ChaCha20, (X)Salsa20, RC4
- Hash functions SHA-1, SHA-2, SHA-3, RIPEMD-160, BLAKE2b/BLAKE2s, Skein-512, SM3, Whirlpool
- Password hashing schemes Argon2, Scrypt, bcrypt, and PBKDF2
- Authentication codes HMAC, CMAC, Poly1305, KMAC, SipHash, GMAC
- Non-cryptographic checksums Adler32, CRC24, CRC32
- Full C++ PKCS #11 API wrapper
- Interfaces for TPM v1.2 and v2.0 device access
- Simple compression API wrapping zlib, bzip2, and lzma libraries
- RNG wrappers for system RNG and hardware RNGs
- HMAC_DRBG and entropy collection system for userspace RNGs
- SRP-6a password authenticated key exchange
- Key derivation functions including HKDF, KDF2, SP 800-108, SP 800-56A, SP 800-56C
- HOTP and TOTP algorithms
- Format preserving encryption scheme FE1
- Threshold secret sharing
- Roughtime client
- Zfec compatible forward error correction encoding
- Encoding schemes including hex, base32, base64 and base58
- NIST key wrapping
- Boost.Asio compatible TLS client stream
