QuantumVault inventories every classical key in your infrastructure, generates a migration plan, issues post-quantum certificates, and provides the long-term archival signatures that will still be verifiable in 2060.
Nation-state adversaries are harvesting encrypted traffic today for decryption when cryptographically relevant quantum computers arrive. Every year of delay is another year of data exposed retroactively.
Intelligence agencies and sophisticated adversaries are recording encrypted traffic today. When a cryptographically relevant quantum computer arrives, every RSA and ECC key exchange captured in transit can be broken retroactively. Data with a 10-year sensitivity window is already at risk.
NSA's Commercial National Security Algorithm Suite 2.0 requires all national security systems to migrate to post-quantum algorithms by 2030 for software and firmware, 2033 for hardware. NIST finalized ML-KEM, ML-DSA, and SLH-DSA in August 2024. The clock is ticking.
A typical enterprise has tens of thousands of TLS certificates, SSH keys, code signing identities, and API credentials scattered across cloud providers, on-prem infrastructure, CI/CD pipelines, and legacy systems. Manual inventory is impossible. Migration without a plan is reckless.
QuantumVault provides the complete migration lifecycle: discover what you have, plan how to migrate, execute the migration, and prove compliance to auditors and regulators.
SDKs for Python, Java, Node.js, Go, and .NET. OAuth 2.0 authentication with HMAC-SHA256 API keys. All responses include ML-DSA post-quantum signatures.
Launch agentless scan across specified targets: TLS endpoints, SSH servers, certificate stores, cloud KMS, HSMs. Supports CIDR ranges and DNS wildcards.
Poll scan progress. Returns discovered key count, completion percentage, and error summary. Supports long-polling.
Paginated list of all discovered classical keys. Filter by algorithm (RSA, ECC, DSA), key size, expiration window, risk score, and owner.
Full metadata for a single key: algorithm, size, creation date, expiration, certificate chain, associated services, quantum risk score, and migration status.
Aggregate risk report across your entire infrastructure. Breakdown by algorithm family, criticality tier, and CNSA 2.0 compliance gap. Exportable as signed PDF.
AI-assisted migration roadmap with dependency graphs, effort estimates, rollback strategies, and priority ordering. Accounts for certificate chain dependencies.
Retrieve a generated migration plan with phase-by-phase breakdown, resource requirements, and timeline projections.
Generate ML-KEM (Kyber) key encapsulation or ML-DSA (Dilithium) signing key pairs. Optional HSM-backed storage. Supports all NIST security levels (2, 3, 5).
Issue X.509 certificates with dual classical + post-quantum signatures. Supports RSA+ML-DSA and ECDSA+ML-DSA hybrid modes per IETF draft-ounsworth-pq-composite-sigs.
Retrieve certificate metadata, chain, revocation status, and associated key material references. Includes both classical and PQ signature details.
Revoke a hybrid certificate. Updates OCSP responder and CRL. Returns signed revocation receipt with ML-DSA attestation.
Rotate a classical key to its post-quantum replacement. Handles certificate re-issuance, service reconfiguration, and validation. Atomic with rollback on failure.
Sign arbitrary data with ML-DSA (Dilithium). Supports security levels 2, 3, and 5. Batch signing up to 10,000 operations per call.
Verify ML-DSA or hybrid signatures. Returns verification result, signer identity, timestamp, and algorithm details. Batch verification supported.
Produce archival-grade ML-DSA signatures with embedded timestamps and certificate chain snapshots. Designed to remain verifiable for 50+ years. Compliant with ETSI AdES long-term validation.
Generate a CNSA 2.0 compliance gap analysis. Maps every key in your inventory against NSA CNSA 2.0 requirements. Exportable as signed PDF for auditors.
Chain-hashed, tamper-evident log of all key management operations. Paginated, date-range filtered. Exportable as signed PDF for regulatory review.
The Discovery tier gives you unlimited scans and risk assessments at no cost. Because understanding the scope of your quantum exposure shouldn't require a purchase order.
Archival-grade ML-DSA signatures with embedded timestamps and certificate chain snapshots. Designed to remain verifiable for 50+ years. Available as add-on to any paid tier.
White-glove assessment by H33 cryptographic engineers. Includes infrastructure scan, risk analysis, executive briefing, migration roadmap, and 90-day implementation support.
QuantumVault maps every key management operation to specific compliance requirements. Reports are generated automatically, signed with ML-DSA, and ready for auditor review.
Full alignment with NSA's Commercial National Security Algorithm Suite 2.0. Automated gap analysis maps your infrastructure against CNSA 2.0 timelines: software/firmware by 2030, hardware by 2033.
Implementation of NIST's post-quantum cryptography transition guidance. ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) as specified. Migration plans reference NIST IR 8547 sections directly.
Cryptographic modules validated to FIPS 140-3 Level 2 (Level 3 with HSM backend). All key generation, signing, and verification operations use validated implementations.
FedRAMP authorization in progress. QuantumVault's CNSA 2.0 compliance reporting satisfies OMB M-23-02 post-quantum migration requirements for federal agencies and their contractors.
Long-term archival signatures comply with ETSI TS 119 312 for cryptographic suites and ETSI EN 319 122 for CAdES/XAdES advanced electronic signatures with post-quantum algorithms.
Hybrid certificates support EU eIDAS 2.0 qualified electronic signature requirements. Dual classical + PQ signatures ensure backward compatibility during the transition period.
QuantumVault automates the migration in three phases. First, the infrastructure scanner discovers every RSA, ECC, and AES key across your certificates, key stores, HSMs, cloud KMS, and code repositories. Second, QuantumVault generates a prioritized migration plan based on Mosca's inequality — assets with the longest data sensitivity lifetime migrate first. Third, QuantumVault provisions hybrid certificates (classical + post-quantum) through automated certificate lifecycle management, so your systems maintain backward compatibility while gaining quantum resistance.
CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) is the NSA's mandate for post-quantum cryptographic migration. The key deadlines are: by 2025, prefer CNSA 2.0 algorithms for new systems; by 2030, require ML-KEM (Kyber) for key establishment and ML-DSA (Dilithium) for digital signatures; by 2035, exclusively use CNSA 2.0 algorithms with no classical fallback. QuantumVault tracks your compliance against all CNSA 2.0 milestones and generates deadline-specific compliance reports showing exactly which assets need migration and by when.
Harvest-now-decrypt-later (HNDL) is the strategy where adversaries intercept and store encrypted data today, planning to decrypt it when cryptographically relevant quantum computers become available. Data with long sensitivity lifetimes — classified information, healthcare records, financial data, trade secrets — is especially vulnerable. If your data needs to remain confidential for 10+ years and a quantum computer could arrive in 10-15 years, you are already in the vulnerability window. QuantumVault identifies HNDL-exposed assets in your infrastructure and prioritizes their migration to post-quantum algorithms.
Hybrid certificates contain both a classical key pair (RSA or ECC) and a post-quantum key pair (ML-KEM or ML-DSA) in a single X.509 certificate. During a TLS handshake, both key exchanges are performed and their shared secrets are combined. If either algorithm is compromised, the other still protects the connection. This provides backward compatibility with systems that do not yet support post-quantum algorithms while providing full quantum resistance for systems that do. QuantumVault automates hybrid certificate provisioning, renewal, and complete lifecycle management.
Long-term archival signing uses post-quantum digital signatures (ML-DSA/Dilithium) to sign documents, audit records, and compliance evidence that must remain verifiable for decades. An RSA or ECC signature created today could be forged by a quantum computer in the future, invalidating your entire audit trail retroactively. QuantumVault's archival signing creates Dilithium signatures that will remain unforgeable in a post-quantum world. This is critical for legal documents, healthcare records, financial compliance evidence, and regulatory filings that have multi-decade retention requirements.
QuantumVault's infrastructure scanner is an agentless discovery tool that inventories every cryptographic asset in your environment. It scans TLS certificates, SSH keys, code signing certificates, cloud KMS keys (AWS, GCP, Azure), HSM inventories, Java KeyStores, and .NET certificate stores. The scanner identifies algorithm types, key sizes, expiration dates, and certificate chains. Results are compiled into a searchable Cryptographic Asset Inventory with quantum risk scores. The Discovery tier is free forever with no credit card required. A typical scan completes in under 60 minutes.
Mosca's inequality states that if X + Y > Z, your data is at risk — where X is the number of years the data must remain confidential, Y is the time required to migrate to post-quantum cryptography, and Z is the time until a cryptographically relevant quantum computer exists. For example, if your healthcare records need 25 years of confidentiality, migration takes 3 years, and a quantum computer arrives in 15 years, then 25+3=28 > 15, and you are already in the vulnerability window. QuantumVault computes Mosca's inequality for every asset in your cryptographic inventory.
QuantumVault and VaultKey solve different problems. VaultKey is an encrypted secrets management platform — it stores and uses API keys, credentials, and secrets through FHE proxy execution so secrets never touch your servers. QuantumVault is a cryptographic migration platform — it inventories your classical cryptographic assets, assesses quantum risk exposure, and manages the migration to post-quantum algorithms including hybrid certificates, key rotation, and long-term archival signing. Organizations typically use VaultKey for day-to-day secrets management and QuantumVault for the strategic migration to post-quantum cryptography.
QuantumVault supports all NIST-standardized post-quantum algorithms: ML-KEM (CRYSTALS-Kyber) at security levels 512, 768, and 1024 for key encapsulation; ML-DSA (CRYSTALS-Dilithium) at security levels 2, 3, and 5 for digital signatures; and SLH-DSA (SPHINCS+) for stateless hash-based signatures. QuantumVault also supports hybrid modes that combine classical algorithms (RSA-2048, RSA-4096, ECDSA P-256, P-384) with their post-quantum counterparts for backward compatibility during the transition period.
A typical infrastructure scan completes in under 60 minutes for organizations with up to 50,000 cryptographic assets. The scanner is agentless and connects to your infrastructure through standard APIs for AWS, GCP, and Azure, plus SSH and certificate transparency logs. Larger environments with hundreds of thousands of assets may take 2-4 hours. The scan is non-intrusive — it reads certificate metadata and key configurations but never accesses private key material. Results include risk scores, Mosca's inequality calculations, and a prioritized migration timeline.
Run your first infrastructure scan in under five minutes. The Discovery tier is free forever. No credit card. No sales call. Just the truth about your quantum exposure.