This document describes the high-level architecture and security design of quantum_vault, a post-quantum cryptography (PQC)–based key management system (KMS) implemented in Rust.
This repository intentionally contains no source code.
The goal of quantum_vault is to provide long-term protection for cryptographic keys and secrets in environments where data must remain secure for decades, including against future quantum adversaries.
The system is designed to be:
- Software-only (no quantum hardware dependency)
- Deployable on existing infrastructure
- Crypto-agile by default
quantum_vault explicitly does not aim to:
- Implement Quantum Key Distribution (QKD)
- Replace physical HSMs
- Introduce proprietary cryptographic primitives
- Act as a general-purpose secret manager for all workloads
The system assumes:
- Adversaries may harvest encrypted data today and decrypt later
- Classical public-key cryptography (RSA/ECC) will become unsafe
- Infrastructure compromise is possible
- Insider threats exist
The system defends against:
- Future quantum attacks on stored ciphertext
- Key exfiltration via compromised services
- Weak key rotation and lifecycle practices
At a high level, the system consists of:
- Key Authority
- Generates and manages PQC key material
- Policy Engine
- Enforces rotation, expiry, and access constraints
- Crypto Interface Layer
- Abstracts cryptographic primitives for agility
- Audit & Observability Layer
- Records key lifecycle events
All components are designed to run as software services and integrate with existing infrastructure.
The system is designed to support:
- Algorithm replacement without service downtime
- Hybrid cryptographic modes during migration
- Forward-compatible key lifecycle management
No single cryptographic algorithm is treated as permanent.
Typical deployment scenarios include:
- Database encryption key management
- Backup and archive encryption
- Blockchain validator or signing key protection
- Internal service-to-service trust anchors
Post-quantum cryptography was selected because it:
- Works over existing networks
- Requires no specialized hardware
- Aligns with NIST standardization
- Scales across cloud and on-prem environments
QKD is treated as a potential future input, not a dependency.
The implementation of quantum_vault is intentionally private.
This document is intended to communicate architectural intent, security reasoning, and design tradeoffs without exposing sensitive implementation details.