EHLS — Ephemeral Hardware-Locked Streaming · How it works

EHLS/ 01 · Manufacturer

Manufacturers in your network print on demand.

Recording forthcoming
Step 01 · Enrol your printer
Recording forthcoming
Step 02 · Browse licensed parts
Recording forthcoming
Step 03 · Slice for your printer
Recording forthcoming
Step 04 · Press print
Every completed print produces a signed quality certificate — verifiable on any device, hardware-bound to the machine that ran it.
Verify a certificate →
EHLS/ 02 · OEM

You own the design. The file never leaves the platform.

Recording forthcoming
Step 01 · Upload an STL
Recording forthcoming
Step 02 · Issue a licence
Recording forthcoming
Step 03 · Watch the print
Recording forthcoming
Step 04 · Revoke a licence
Every certificate on every print, signed by the platform — your audit trail writes itself.
View a sample certificate →

Features

01
Security No file ever lands. Per-printer encryption. Telemetry-verified physical execution.
Crypto & Stream Lifecycle
01 · No file lands

No file ever touches the printer's disk.

Each G-code segment is decrypted in the gateway's locked memory buffer, streamed line-by-line to the printer's controller via Klipper's RAM-only streaming endpoint, and overwritten the moment telemetry confirms physical execution.

Klipper's POST /printer/gcode/script accepts one line at a time. Memory-locked buffers (mlock / VirtualLock) prevent swap-out; multi-pass overwrite after each segment.
EHLS/ Gateway
K1C-FA92
12:42:08.103RECVsegment 0413 · 1.21 KB · aes-256-gcm
12:42:08.211CRYPTOdecrypt segment 0413 · ok
12:42:08.218EXECG1 X120.4 Y89.2 E0.0024 F1800
12:42:08.225EXECG1 X121.0 Y89.5 E0.0028 F1800
12:42:08.412WIPEsegment 0413 → 0kb · 3 passes
12:42:08.508RECVsegment 0414 · 1.18 KB · aes-256-gcm
02 · Hardware-locked

The decryption key is locked to a specific physical machine.

Before a print starts, the engine fingerprints the device — CPU serial, firmware version, board serial, plus a thermal/motion behavioural snapshot. The session key is HKDF-derived from that fingerprint plus a fresh nonce. Another printer cannot decrypt the segments even with the ciphertext in hand.

HKDF-SHA256 over canonical MIP bytes. AES-256-GCM segments with per-segment IVs; the IV chain is HMAC-bound so reordering is detected.
Machine Identity Profile K1C-FA92
CPU serial0x4af8…b21e
FirmwareKlipper v0.12.0
Board IDCR4SU200382C13
Thermal riseτ = 7.2s
Homing timing182.4 ms
Bed-mesh σ0.018 mm
HKDF-SHA256
machine_id · 8b1f4c2e…a04d9f
03 · Telemetry verified

Live telemetry verification — no proxy device can fake a print.

Every segment delivered must produce a measurable physical change — toolhead position, heater temperature, extruder count — within a configurable window. If the device receives bytes but doesn't move, the engine flags it as a proxy-extraction attempt and emergency-purges the buffer.

Per-segment expected-signature parsing against a 1 Hz K1C telemetry stream.
Telemetry gate · per segment K1C-FA92
seg 0411 toolhead Δ verified ✓ 18 ms
seg 0412 heater Δ verified ✓ 22 ms
seg 0413 toolhead Δ verified ✓ 14 ms
seg 0414 no motion detected ✗ ABORT
ExtractionSuspectedError · buffer purged · session terminated
04 · Signed halts

Cryptographically-signed halt commands.

Safety halts issued by the engine are HMAC-signed with the session key. An attacker on the visitor's LAN cannot issue spoofed halts to brick prints in flight.

Every HALT_COMMAND carries an HMAC over (session_id, timestamp, reason, nonce). Constant-time verified before action.
Engine-signed halt ✓ verified
HMAC 8b1f…a04d · executes safe-rest
Spoofed halt (LAN attacker) ✗ rejected
HMAC invalid · ignored, print continues
Privacy & Safety
What EHLS does on your PC
  • Spawns one ~22 MB process that talks to the engine and your printer over the local network.
  • Uses memory-locked decryption buffers (VirtualLock on Windows). Buffers never hit the page file.
  • Writes a small config file to ~/.ehls-gateway/ (printer IP, server URL, last machine_id — diagnostic only).
  • Logs to a small ring-buffer for the diagnostics panel.
What it does NOT do
  • No drivers, services, or autostart entries.
  • No TCP listener on your machine.
  • Doesn't read or upload any other file from your disk.
  • Doesn't bypass the printer's own safety limits — it reads them via Moonraker and refuses prints that would exceed them.
  • Doesn't accept commands from anywhere except the engine, cryptographically signed.
Safety guarantee Every halt path runs the safe-rest cleanup: heaters off, fans full, nozzle raised + parked, motors disengaged except Z so bed-slingers don't drop the bed. Cleanup runs on every termination path — voluntary cancel, daemon crash, power loss, window close.
02
Compatibility Works on the printers buyers already own. Refuses cleanly when it can't.
06 · Pre-flight refusal

Refuse with a clear, actionable error.

Before the visitor can queue a print, EHLS probes their printer's firmware via Moonraker. Wrong firmware, wrong state, or a profile that demands more than the printer's caps → refuse with a structured error. The visitor can never silently start a print that would damage their hardware.

Error codes include NOT_KLIPPER, NOZZLE_RANGE, BUILD_VOLUME, MISSING_HEATER, NOT_READY.
× Cannot start print
profile demands250 °C
this printer caps at240 °C
printer modelCreality K1C
code · NOZZLE_RANGE
Suggested fix: Configure a profile with a nozzle target ≤ 240 °C, or print on a printer with a higher temp cap.
Compatibility roadmap

Built on Klipper today. Built to reach further.

Available now

Any printer built on the Klipper streaming architecture.

EHLS runs on machines exposing a Moonraker streaming endpoint — the open architecture EHLS was designed against. That covers a wide range of current FDM hardware in serious workshops today.

Creality K-series Voron Prusa Sovol DIY Klipper builds
On the roadmap

Expanding the same guarantees to the rest of the shop floor.

We're extending EHLS to additional commercial brands and to entirely new manufacturing classes — bringing the same hardware-locked, ephemeral streaming guarantees with us.

More commercial FDM brands Metal 3D printers CNC machines
03
Trackability A signed quality certificate for every print, provably bound to the machine that made it.
Quality Certificate
05 · Quality certificate

A signed quality certificate for every print.

Every successful print produces a JSON certificate listing every segment IV, every adaptive adjustment, every telemetry alert, plus a final SHA-256-HMAC over the whole record. The signing key is HKDF-derived from (session_key, MIP hash), so the certificate is provably tied to this print on this printer.

A defence supply chain can prove to its auditor that the part was printed under the exact telemetry-verified conditions the certificate claims.
Quality certificate Signed
certificate0x7a3f…e2c9
machineK1C-FA92
operator key8b1f…a04d
segments2,143 / 2,143
adjustments7 (feed × 5, temp × 2)
iv chain hashblake3 c4e2…7d8e
timestamp14:22:08 UTC
HMAC-SHA256 · signed
Public verification
06 · Certificate search

Anyone can verify, no login required.

Every EHLS-certified part carries a 16-character identifier and a GS1 Digital Link printed on its label. Paste either into the public verification page and the certificate chain is replayed in real time: every signature re-verified, every custodian transfer hashed against the previous, every event checked against the latest Merkle anchor — in under a second.

A regulator inspecting an aircraft, a hospital receiving an implant, an MRO accepting a part return — none of them need credentials, an account, or a vendor relationship. The provenance is the product; the lookup is just how the provenance is read.

Custodians along the chain are pseudonymous by default — only the licensed manufacturer and the final disposition are publicly named. Real legal identities are gated behind regulator-PKI auth, so commercial relationships stay private while the chain stays auditable.
cosanta.systems / cert verified 14:22:08
EHLS-7F3A-9B21-0C4D
Actuator bracket, control surface, ANB-247
Aerlinea Norte Manufacturing · issued March 12, 2024
In service Chain verified
InstalledApr 22, 2024
CUST-C56D78 — Maintenance, Repair & Overhaul · Western Europe
TransferredApr 8, 2024
CUST-A12B34 — Distributor · Western Europe
ManufacturedMar 12, 2024
Aerlinea Norte Manufacturing Ltd
04
FAQ Five questions defence and supply-chain teams ask first.
Can a buyer just sniff the network traffic and reconstruct the file?
They'd capture a stream of AES-256-GCM ciphertexts each encrypted with a different IV — and the keys are never transmitted (both sides HKDF-derive locally from the MIP, a nonce, and a timestamp). Even with the captures, you'd need the buyer's specific physical printer to decrypt them — and the printer overwrites each segment after execution.
What stops the buyer from running a fake printer that just records the bytes?
That's the proxy-extraction attack. EHLS verifies physical execution: every segment must produce a measurable change in toolhead position, extruder count, or heater target within a configurable window. A passive byte-recorder doesn't move the carriage, so it fails the check and the engine emergency-purges its remaining segments before delivering them.
How do I prove which print run produced which physical part?
Every print produces a quality certificate with a UUID (certificate_id). The certificate signs the full segment IV chain and the entire telemetry trace, so you can take any physical part, look up its certificate, and prove it came from this specific print on this specific printer. Useful for defence supply chain, medical device traceability, and any context where provenance matters.
What happens if the network drops mid-print?
The gateway maintains its session and reconnects with exponential backoff. On reconnect, the engine verifies the MIP hasn't changed (anti-MITM) and resumes from the last acknowledged segment. The printer's firmware queue may have drained during the outage; the next segment delivered respects the printer's current state.
Do you support multi-printer fleets?
Yes — each printer has its own enrolment, its own session, its own per-segment session key. Segments encrypted for one printer can't be decrypted by another. The platform's job queue routes per machine_id. Tested with up to 50 concurrent sessions on a single engine instance.

Industries

Defence & Sovereign

Defence & Sovereign

Sovereign-deployment EHLS for classified and ITAR-controlled manufacturing. Air-gappable, on-prem, and cleared-personnel access only. No public registry exposure.

  • Sovereign and on-prem deployment options
  • ITAR / EAR / DFARS-aligned compliance posture
  • Permissioned access — no public lookup
  • Cleared-personnel role-based access
Learn more →
Aerospace

Aerospace

Public, machine-attested provenance for OEMs, MROs, lessors, and airlines. ATA Spec 2000-compatible certificates with FAA SUP and post-AOG Aviation Supply Chain Integrity Coalition alignment.

  • Public per-instance certificate verification
  • ATA Spec 2000 / 8130-3 / EASA Form 1 compatible
  • Back-to-birth traceability for life-limited parts
  • Designed for OEM, MRO, and aftermarket buyers
Learn more →
Automotive

Automotive

Per-instance provenance for safety-critical and aftermarket automotive parts. VIN-linked, IATF 16949-aligned, ready for the EU Mobility Digital Product Passport.

  • Public per-instance certificate verification
  • VIN-linked / IATF 16949-aligned identifiers
  • Counterfeit-part rejection at the workshop bay
  • Recall-and-replacement provenance
Learn more →
Industrial & Regulated

Industrial & Regulated

EU Digital Product Passport-ready certificates configurable to sector-specific requirements. Built for safety-critical components in automotive, rail, oil & gas, energy, and broader regulated industry.

  • EU Digital Product Passport (ESPR) compatible
  • Automotive safety-critical (IATF 16949-aligned)
  • Rail, energy, and oil & gas applications
  • Configurable deployment per sector
Learn more →

Print a real part. From cloud to chip.
In 20 minutes.

Bring your own Klipper printer. We'll stream a live print to your machine, IP-locked end-to-end.

Request Demo