BenchmarksStack Ranking
H33-VaultH33-ShareH33-ShieldH33-HealthH33-KeyH33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ Video
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key

Your keys are one breach from becoming weapons. All of them.

API tokens in .env files. SSH keys on disk. Database passwords in config. TLS certs in mounted volumes. Crypto wallet private keys in hot storage. Every key in your infrastructure sits one credential dump from catastrophic compromise.

H33-Key — Kyber-1024 encryption wherever keys live. No vault migration. No workflow change. Sub-millisecond overhead.

Start Encrypting

Vaults centralize secrets behind a new abstraction layer. H33-Key does the opposite — it encrypts keys exactly where they already live. Database columns, environment variables, config files, SSH keys, TLS certificates, crypto wallet private keys. The encryption travels with the key. No migration. No new workflow. No single point of failure.

Not another secrets vault. Encryption that follows your keys.

Here’s what happens when you encrypt and manage a key with H33-Key.

Step 01 — Kyber-1024 Hybrid Encryption
Quantum-Resistant Key Wrapping
Key material is wrapped using Kyber-1024 key encapsulation mechanism combined with AES-256-GCM symmetric encryption. The plaintext key never persists — it exists only in memory during the encapsulation operation. Even if an attacker exfiltrates the encrypted payload, they face a lattice problem that no known quantum algorithm can solve efficiently.
Key material is wrapped using Kyber-1024 key encapsulation mechanism combined with AES-256-GCM symmetric encryption. The plaintext key never persists — it exists only in memory during the encapsulation operation. Even if an attacker exfiltrates the encrypted payload, they face a lattice problem that no known quantum algorithm can solve efficiently.
Step 02 — HMAC-SHA3 Integrity Verification
Detect Tampering Instantly
Every encrypted key payload carries an HMAC-SHA3-256 integrity tag. If a single bit changes — whether from storage corruption, malicious modification, or man-in-the-middle attack — verification fails immediately. You know the moment your encrypted keys have been tampered with, before any decryption attempt.
Every encrypted key payload carries an HMAC-SHA3-256 integrity tag. If a single bit changes — whether from storage corruption, malicious modification, or man-in-the-middle attack — verification fails immediately. You know the moment your encrypted keys have been tampered with, before any decryption attempt.
Step 03 — Key Wrapping + Envelope Rotation
Rotate Without Re-Encrypting
Wrap existing keys under a post-quantum envelope. When rotation policy triggers, H33-Key rotates the outer envelope without touching the underlying key material. Your application never sees a key change. Zero downtime. Zero coordination. The envelope rotates on schedule while the wrapped key remains stable.
Wrap existing keys under a post-quantum envelope. When rotation policy triggers, H33-Key rotates the outer envelope without touching the underlying key material. Your application never sees a key change. Zero downtime. Zero coordination. The envelope rotates on schedule while the wrapped key remains stable.
Step 04 — Threshold Decryption + Provenance
k-of-n Approval for Critical Keys
For high-value keys — production database roots, signing certificates, infrastructure credentials — require k-of-n threshold approval before decryption. Every access is logged with a Dilithium-signed chain of custody. Full provenance: who requested, who approved, when, from where. Tamper-proof and quantum-resistant.
For high-value keys — production database roots, signing certificates, infrastructure credentials — require k-of-n threshold approval before decryption. Every access is logged with a Dilithium-signed chain of custody. Full provenance: who requested, who approved, when, from where. Tamper-proof and quantum-resistant.
< 0.5 ms
per encrypt/decrypt operation

Kyber-1024 KEM + AES-256-GCM wrap + HMAC-SHA3 integrity + Dilithium signature — all under half a millisecond.

Four cryptographic stages — under half a millisecond.

STAGE 1  Kyber-1024 KEM
STAGE 2  AES-256-GCM Wrap
STAGE 3  HMAC-SHA3 Integrity
STAGE 4  Dilithium Signature
Total: —
Key Encryption Pipeline

Every key in your infrastructure is a target. Encrypt them all.

Database Credentials
Encrypt connection strings in-place. No application change. Your ORM reads the same config — H33-Key transparently decrypts at point of use.
SSH Keys & Certificates
Wrap private keys at rest with Kyber-1024 envelope. Decrypt on-demand at point of use. Compromised disk yields only ciphertext.
API Tokens & Service Accounts
PQ-encrypt CI/CD secrets, cloud provider keys, third-party tokens. Rotate envelopes without invalidating the underlying credentials.
TLS Certificate Private Keys
Protect cert private keys with Kyber envelope. Auto-rotate envelope on schedule. The certificate stays valid while the encryption layer refreshes.
Crypto Wallet & Signing Keys
Wrap blockchain private keys, HD wallet seeds, and signing keys with Kyber-1024 encryption. Hot wallets stay operational while keys stay quantum-safe. Threshold decryption (Key-3) adds k-of-n multisig-grade approval before any signing key is released.

Zero to Encrypted in Five Minutes

No infrastructure to deploy. No agents to install. No migration project to plan.

Step 01
Get Your API Key
Sign up at /get-api-key, select the Key tab, choose a unit pack. API key provisioned instantly. No credit card required for free tier.
Step 02
Encrypt Your First Key
One API call to POST /v1/key/encrypt with your key material. Store the returned ciphertext wherever the plaintext used to live — .env file, database column, CI/CD variable, Kubernetes secret.
Step 03
Decrypt at Point of Use
Call POST /v1/key/decrypt when your app needs the key. Set a TTL so plaintext auto-zeroes from memory after use. Your app code changes are minimal — one decrypt call at startup.
Step 04
Scale with SDKs
Production SDKs for Node.js, Python, Go, and Rust handle caching within TTL windows and provide framework middleware. Docker sidecar available for environments you cannot modify — intercepts env var reads and transparently decrypts.

Zero-Exposure Infrastructure

Every secrets manager on the market decrypts the key before handing it to you. H33-Key doesn’t.

H33-Gateway NEW

TEE proxy — your infrastructure never touches plaintext. Your app sends an encrypted key + request. Gateway decrypts inside a Trusted Execution Environment, forwards the API call to the third-party service, zeroes the plaintext, and returns the response. At no point does your infrastructure — or ours — see the key in the clear.

Healthcare
A hospital where an Epic EHR credential sits in plaintext in a Jenkins env var. Every CI/CD run exposes it. Every developer with pipeline access can read it. With Gateway, Jenkins stores the Kyber-encrypted credential. The API call routes through the TEE. The plaintext credential never exists outside the enclave.
Financial Services
A bank where Stripe API keys live in a config file that 40 engineers can read. One compromised laptop, one misconfigured S3 bucket, one leaked .env — and those keys are in the wild. With Gateway, the config stores ciphertext. Payment API calls route through the TEE. Zero engineers need plaintext access.
STEP 1  App sends encrypted key + request
STEP 2  TEE decrypts key (secure enclave)
STEP 3  API call forwarded to third-party
STEP 4  Plaintext zeroed, response returned
Total: —
Gateway Pipeline

The Ecosystem Vision: Key-FHE NEW

Both sides integrate the H33 SDK. BFV fully homomorphic encryption compares the key without decrypting it — not even inside a TEE. The plaintext key never exists anywhere during verification. This is the endgame: zero-exposure at the mathematical level.

Key-FHE requires both parties to integrate the H33 SDK. We position it honestly as the future — the highest-security option for organizations willing to coordinate with their partners.

STEP 1  Encrypted key sent (Kyber-1024 envelope)
STEP 2  BFV FHE comparison (homomorphic)
STEP 3  Match / No-match result returned
No decryption step — key never exists in plaintext
FHE Verification Pipeline — zero decryption

Revocation & Rotation

Every encrypted key has an ID. Revoke instantly. Rotate without downtime. Analogous to certificate revocation (CRL/OCSP) — but for every key in your infrastructure.

Key Identity
Each encrypted key is assigned a unique identifier (hk_*). Track, audit, and manage every encrypted key across your infrastructure by ID. Full lifecycle visibility from creation to retirement.
Instant Revocation
Mark any key ID as revoked — all decrypt operations for that ID are refused immediately. No propagation delay. No key material to chase down. One API call and the key is dead across every system that references it.
Seamless Rotation
Generate a new Kyber envelope and key ID. The old ID is marked rotated with a configurable grace period — systems using the old ID continue to work during the transition window, then automatically cut over. Zero-downtime key rotation.

The more you encrypt, the less each operation costs.

Key-0
3 units per operation
Kyber-1024 encrypt/decrypt. Masked display. Full audit log.
10K$0.18
50K$0.12
250K$0.075
1M$0.036
5M+$0.018
Get Started
Key-1
8 units per operation
+ HMAC-SHA3-256 integrity verification. Tamper detection.
10K$0.48
50K$0.32
250K$0.20
1M$0.096
5M+$0.048
Get Started
Key-2
15 units per operation
+ Key wrapping + envelope rotation without re-encrypting underlying key.
10K$0.90
50K$0.60
250K$0.375
1M$0.18
5M+$0.09
Get Started
Key-3
25 units per operation
+ Threshold decryption (k-of-n). Dilithium-signed key provenance chain.
10K$1.50
50K$1.00
250K$0.625
1M$0.30
5M+$0.15
Get Started
Key-Gateway NEW
35 units per operation
TEE proxy — your infrastructure never touches plaintext. Works with any third-party API.
10K$2.10
50K$1.40
250K$0.875
1M$0.42
5M+$0.21
Get Started
Key-FHE NEW
50 units per operation
FHE verification — key never decrypted anywhere. Both sides integrate for zero-exposure.
10K$3.00
50K$2.00
250K$1.25
1M$0.60
5M+$0.30
Get Started

Volume Unit Pricing

Monthly Volume $/Unit Key-0 (3u) Key-1 (8u) Key-2 (15u) Key-3 (25u) Key-Gateway (35u) Key-FHE (50u)
10K $0.060 $0.18 $0.48 $0.90 $1.50 $2.10 $3.00
50K $0.040 $0.12 $0.32 $0.60 $1.00 $1.40 $2.00
250K $0.025 $0.075 $0.20 $0.375 $0.625 $0.875 $1.25
1M $0.012 $0.036 $0.096 $0.18 $0.30 $0.42 $0.60
5M+ $0.006 $0.018 $0.048 $0.09 $0.15 $0.21 $0.30

How H33-Key compares

H33-Key AWS KMS HashiCorp Vault Transit Azure Key Vault
Post-quantum encryption Kyber-1024 (NIST)
Latency < 0.5ms 5–15ms 2–8ms 10–25ms
Per-operation cost From $0.018 $1/10K requests Self-managed infra Per-op + per-key
Migration required None — transparent layer Full integration Complex setup SDK integration
Vendor lock-in None AWS-only Azure-only
Threshold decryption (k-of-n) Key-3
Dilithium-signed provenance Key-3
Zero-exposure infrastructure Key-Gateway (TEE proxy)
FHE key verification Key-FHE

All units fungible — same balance as H33-Auth, H33-Vault, H33-Share, H33-Shield, and H33-Health.

Start Encrypting Your Keys

Get API Key

Free tier includes 1,000 units. No credit card required.