Key Management
QuantumVault manages post-quantum cryptographic keys for encryption, signing, and key encapsulation. All algorithms follow NIST post-quantum standards (FIPS 203, 204, 205), ensuring your cryptographic operations are secure against both classical and quantum attacks.
From this page you can generate, import, rotate, revoke, and export cryptographic keys. QuantumVault supports post-quantum (NIST FIPS 203/204/205) and classical algorithms, automatic rotation policies, AI-powered tag suggestions, cloud KMS export, and fine-grained access control.
Key types
QuantumVault organises keys into three types based on their cryptographic purpose. Each type supports a different set of algorithms.
Encryption (KEM)
Key Encapsulation Mechanism keys for encrypting data, wrapping other keys, and generating Data Encryption Keys (DEKs). Includes ML-KEM (post-quantum) and RSA.
Signing (DSA)
Digital Signature Algorithm keys for creating and verifying digital signatures. Includes ML-DSA, SLH-DSA (post-quantum), RSA, ECDSA, and Ed25519.
HMAC
Hash-based Message Authentication Code keys for generating and verifying MACs. Useful for API request signing, webhook verification, and data integrity checks.
Supported algorithms
QuantumVault supports the full suite of NIST-standardized post-quantum algorithms, plus AES-256-GCM for symmetric encryption.
Post-quantum algorithms
| Algorithm | Type | Standard | Default |
|---|---|---|---|
| ML-KEM-768 | Key Encapsulation | FIPS 203 | Yes |
| ML-KEM-512 | Key Encapsulation | FIPS 203 | — |
| ML-KEM-1024 | Key Encapsulation | FIPS 203 | — |
| ML-DSA-65 | Digital Signature | FIPS 204 | Yes |
| ML-DSA-44 | Digital Signature | FIPS 204 | — |
| ML-DSA-87 | Digital Signature | FIPS 204 | — |
| SLH-DSA-128s | Digital Signature | FIPS 205 | — |
Classical algorithms
| Algorithm | Type | Use case |
|---|---|---|
| RSA-2048 | Encryption / Signing | Legacy compatibility, certificate signing, cloud KMS export |
| RSA-3072 | Encryption / Signing | Higher security RSA, NIST recommended minimum |
| RSA-4096 | Encryption / Signing | Maximum RSA security, government compliance |
| EC-P256 | Signing | ECDSA, JWT signing, TLS certificates |
| EC-P384 | Signing | Higher-security ECDSA, government applications |
| EC-P521 | Signing | Maximum ECDSA security |
| Ed25519 | Signing | SSH keys, high-performance signatures, small key size |
| HMAC-SHA256 | HMAC | API request signing, webhook verification |
| HMAC-SHA384 | HMAC | Higher-security MAC operations |
| HMAC-SHA512 | HMAC | Maximum HMAC security, large message authentication |
Key lifecycle
Cryptographic keys follow a defined lifecycle: generation, active use, rotation (where the old key is deprecated but kept for decryption), and eventual destruction. QuantumVault enforces this lifecycle to prevent accidental use of compromised or outdated keys.
Generate ──▶ Active ──┬──▶ Revoked
├──▶ Expired (auto, on expiration date)
└──▶ Pending Deletion ──▶ Destroyed (permanent)| State | Can encrypt | Can decrypt | Description |
|---|---|---|---|
| Active | Yes | Yes | Key is healthy and ready for all operations. |
| Expired | No | Yes | Past expiration date. Can still decrypt existing data but cannot encrypt new data. |
| Revoked | No | Yes | Manually deactivated. Can still decrypt but cannot encrypt. Cannot be re-activated. |
| Pending Deletion | No | Yes | Scheduled for permanent destruction. Can be cancelled before the deletion date. |
| Destroyed | No | No | Permanently destroyed. Key material is irrecoverable. Metadata retained for audit. |
Key list features
The key list page provides powerful tools for managing your cryptographic keys at scale.
Full-text search
Search by key name, algorithm, purpose, or description. Results update instantly as you type.
Status filter
Filter keys by state: Active, Revoked, Expired, Pending Deletion, or Destroyed. Defaults to showing all keys.
Favorites toggle
Star important keys to pin them to the top of the list. The amber star toggle shows only your favorited keys.
Tag / label filter
Filter keys by labels. Supports multi-select to show keys matching any of the selected tags.
Column sorting
Sort by Name, Algorithm, Purpose, Version, Status, or Creation Date. Ascending or descending. Favorites always appear first.
Bulk actions
Select multiple keys to apply AI tag suggestions in batch. Processes keys in groups of 10 for efficiency.
When one or more active keys expire within 30 days, an amber alert banner appears at the top of the key list showing the count of expiring keys.
AI tag suggestions
QuantumVault uses AI to automatically suggest relevant tags for your keys based on their name, algorithm, type, and description. This helps organise large key vaults without manual effort.
Bulk suggest
Per-key suggest
Accept or reject
Generate keys
Create new cryptographic keys by selecting the key type, algorithm, and optional settings like expiration and default status.
Choose a name
Select key type
Pick an algorithm
Set expiration (optional)
Confirm and generate
POST /api/v1/keys
Content-Type: application/json
{
"name": "production-signing-key",
"keyType": "Signing",
"algorithm": "ML-DSA-65",
"expiresAt": "2027-01-01T00:00:00Z",
"isDefault": false
}qapi keys generate production-signing-key --type signing --algorithm ml-dsa-65Import keys (BYOK)
Bring Your Own Key: import existing key material into QuantumVault. Useful when migrating from another KMS or when keys were generated in a hardware security module (HSM).
Supported import formats
| Format | Description |
|---|---|
| PEM | Base64-encoded with header/footer markers. Most common format for certificates and keys. |
| PKCS#8 | Standardised private key format. Supports password-protected keys. |
| JWK | JSON Web Key format. Commonly used in OAuth2/OIDC and web applications. |
| DER | Binary ASN.1 encoding. Used in X.509 certificates and Java keystores. |
| RAW | Raw key bytes (base64-encoded). For symmetric keys and HMAC secrets. |
Imported private key material is encrypted at rest immediately upon import. The original plaintext is never stored. Ensure you have a backup of the key material before importing.
Key detail operations
The key detail page provides full lifecycle management for individual keys.
Edit metadata
Update the key name, description, expiration date, default status, and labels. Changes take effect immediately.
Rotate key
Create a new version of the key. The previous version is preserved for decrypting data encrypted with it. Requires confirmation.
Revoke key
Permanently deactivate the key. Revoked keys can still decrypt existing data but cannot be used for new operations. This action cannot be undone.
Schedule deletion
Mark the key for permanent destruction after a grace period. During the grace period you can cancel the deletion.
Share
Share access to this key with team members. Opens the Share Resource dialog where you can search and add users.
Version history
View all versions of the key (v1, v2, v3...). Each rotation creates a new version. The current version is highlighted.
Public key export
Export the public key in multiple formats for use in external systems. Private key export is also available but requires additional confirmation due to security implications.
| Format | Extension | Description |
|---|---|---|
| PEM | .pem | Base64-encoded text format with header/footer. Most widely supported. |
| DER | .der | Binary ASN.1 encoding. Compact, used in Java and certificate systems. |
| RAW | .txt | Raw key bytes as base64 string. Minimal overhead. |
| JWK | .json | JSON Web Key. Ideal for web applications, OAuth2, and OIDC. |
GET /api/v1/keys/{keyId}/public?format=PEM
Authorization: Bearer <token>Public key with metadata on demand
By default, GET /api/v1/keys/{keyId}/public returns just the encoded public key plus algorithm, version, and format. Programmable metadata (key name, description, labels, lifecycle state, rotation history, …) is NOT included unless requested via the ?include= query parameter. Pass a comma-separated list of fields, or use ?include=metadata (alias: all) to include every supported field. Note: ?include= does not apply to ?format=jwk, which always returns a standard JWK object.
GET /api/v1/keys/{keyId}/public?format=PEM&include=name,description,labelsGET /api/v1/keys/{keyId}/public?include=metadataname, description, keyType, isPostQuantum,
isActive, isDefault, isFavorite,
createdAt, expiresAt, lastRotatedAt,
labels, state, scheduledDeletionDate
# Aliases (expand to all of the above):
metadata, allCryptographic operations
Perform cryptographic operations directly from the key detail page without writing code. Available operations depend on the key type.
| Operation | Key types | Description |
|---|---|---|
| Generate Data Key | Encryption | Generate a Data Encryption Key (DEK) for envelope encryption. Choose key size (16/24/32 bytes) and optionally include the plaintext key. |
| Wrap Key | Encryption | Encrypt (wrap) key material using this key. Used for secure key transport between systems. |
| Unwrap Key | Encryption | Decrypt (unwrap) previously wrapped key material. The context must match the one used during wrapping. |
| Generate MAC | HMAC | Compute a Hash-based Message Authentication Code over input data. Returns the MAC value for verification. |
| Verify MAC | HMAC | Validate a MAC against the original data. Returns a green 'Valid' or red 'Invalid' result. |
POST /api/v1/keys/{keyId}/data-key
{
"keyBytes": 32,
"withPlaintext": true,
"context": "optional-aad"
}POST /api/v1/keys/{keyId}/wrap
{
"plaintext": "base64-encoded-key-material",
"context": "optional-aad"
}POST /api/v1/keys/{keyId}/mac
{
"data": "base64-encoded-data"
}Automatic rotation policies
Configure automatic key rotation to regularly create new key versions. Rotation policies run in the background and can optionally notify a webhook URL when triggered.
| Frequency | Interval |
|---|---|
| Daily | Every 24 hours |
| Weekly | Every 7 days |
| Monthly | Every 30 days |
| Quarterly | Every 90 days |
| Yearly | Every 365 days |
You can configure a webhook URL to be notified each time a rotation occurs. This is useful for triggering downstream key re-distribution or cache invalidation.
Access control & sharing
QuantumVault provides fine-grained access control for individual keys. View who has access, what they can do, and why.
Effective permissions
View the merged permissions for each principal (user, API key) on this key. Shows the source of each permission — full access, explicit policy, resource group, or role default.
Resource groups
See which resource groups this key belongs to. Add the key to new groups directly from the detail page.
Share dialog
Search for team members and grant them access to this key. Configurable permission level per user.
Access indicator
A compact badge showing your own effective permission level on the key (e.g. Full Access, Read Only).
Key insights (AI analysis)
The Insights tab runs an AI-powered analysis of your key vault to identify security issues, configuration problems, and optimisation opportunities.
Critical issues
Severe problems that need immediate attention: expired keys still in use, weak algorithms, keys without rotation policies.
Warnings
Potential issues: keys approaching expiration, rotation policies paused for too long, keys not used in 90+ days.
Informational
Optimisation suggestions: consider post-quantum migration, tag untagged keys, consolidate duplicate-purpose keys.
Cloud KMS export compatibility
Export keys to external cloud KMS providers for hybrid deployments. Post-quantum keys cannot be exported to cloud providers that do not yet support PQC algorithms.
| Provider | Supported algorithms | Post-quantum |
|---|---|---|
| Azure Key Vault | RSA-2048+, ECDSA, Ed25519 | Not supported |
| AWS KMS | RSA-2048+, ECDSA, Ed25519 | Not supported |
| GCP Cloud KMS | RSA-2048, RSA-3072, RSA-4096 | Not supported |
| Scaleway KMS | RSA-2048+, ECDSA, Ed25519 | Not supported |
For detailed cloud export setup, credentials, and auto-sync configuration, see the Cloud KMS Auto-Sync documentation page.
Envelope encryption
QuantumVault uses envelope encryption to protect all data at rest. Instead of encrypting data directly with a master key, a unique Data Encryption Key (DEK) is generated for each operation, used to encrypt the data, and then itself encrypted (wrapped) with the tenant's Key Encryption Key (KEK). This limits the exposure of any single key.
1. Generate Data Encryption Key (DEK)
2. Encrypt data with DEK using AES-256-GCM
3. Encrypt DEK with tenant's Key Encryption Key (KEK)
4. Store encrypted data + encrypted DEK together
5. QRNG-generated nonces ensure uniqueness
# To decrypt:
1. Decrypt DEK using tenant's KEK
2. Decrypt data using DEKQuantum Random Number Generation
All cryptographic operations use random numbers from quantum hardware sources when available. This provides true randomness derived from quantum mechanical processes, not algorithmic pseudo-randomness.
Quantum Blockchains (Primary)
Real quantum hardware from Quantum Blockchains (EU, Poland). True quantum random number generation.
QuantumBlockchains (Backup)
Secondary QRNG source for redundancy. Activated if the primary source is unavailable.
System CSPRNG (Fallback)
Cryptographically secure pseudo-random number generator. Used when quantum sources are unreachable.
API & CLI reference
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/keys | List all keys for the tenant |
| POST | /api/v1/keys | Generate a new cryptographic key |
| GET | /api/v1/keys/{keyId} | Get key details and metadata |
| PATCH | /api/v1/keys/{keyId} | Update key name, description, labels, expiration |
| POST | /api/v1/keys/{keyId}/rotate | Rotate key (create new version) |
| POST | /api/v1/keys/{keyId}/revoke | Revoke (deactivate) a key |
| DELETE | /api/v1/keys/{keyId} | Schedule key for deletion |
| GET | /api/v1/keys/{keyId}/public?format=PEM | Export public key in specified format |
| POST | /api/v1/keys/import | Import existing key material (BYOK) |
| POST | /api/v1/keys/{keyId}/data-key | Generate a Data Encryption Key |
| POST | /api/v1/keys/{keyId}/wrap | Wrap (encrypt) key material |
| POST | /api/v1/keys/{keyId}/unwrap | Unwrap (decrypt) key material |
| POST | /api/v1/keys/{keyId}/mac | Generate HMAC |
| POST | /api/v1/keys/{keyId}/mac/verify | Verify HMAC |
| GET | /api/v1/keys/{keyId}/versions | List all versions of a key |
| POST | /api/v1/keys/{keyId}/rotation-policy | Create or update rotation policy |
| POST | /api/v1/keys/{keyId}/cloud-exports/{exportId}/sync | Trigger manual cloud KMS sync |
# List all keys
qapi keys list
# Generate a new signing key
qapi keys generate my-key --type signing --algorithm ml-dsa-65
# Rotate a key
qapi keys rotate <key-id>
# Export public key
qapi keys export <key-id> --format pem
# Import a key
qapi keys import my-imported --file key.pem --format pem
# Create rotation policy
qapi keys rotation-policy <key-id> --frequency monthlyFAQ
Should I use post-quantum or classical algorithms?
If your data needs to remain secure for 10+ years, use post-quantum algorithms (ML-KEM, ML-DSA). They protect against both classical and future quantum attacks. For short-lived keys or legacy system compatibility, classical algorithms (RSA, ECDSA) are still safe today.
How many keys can I create?
There is no limit on the number of keys. QuantumVault pricing is based on storage space and API calls, not on key count.
Does key rotation break existing encrypted data?
No. Rotation creates a new version but preserves all previous versions. Data encrypted with v1 can still be decrypted using v1 while new operations use the latest version.
What are the limits for key import?
You can import keys in PEM, PKCS#8, JWK, DER, or RAW format. Private keys are encrypted at rest immediately upon import. There is no size limit beyond the algorithm's natural key size.
Is my imported key material secure?
Yes. Imported key material is encrypted using envelope encryption with your tenant's master key and QRNG-generated nonces before being stored. The plaintext is never persisted.
Can I export post-quantum keys to cloud KMS?
Not yet. Cloud providers (Azure, AWS, GCP, Scaleway) do not currently support post-quantum key types. Only classical keys (RSA, ECDSA, Ed25519) can be exported. Private key export to file supports all algorithms.
How do AI tag suggestions work?
The AI analyses the key name, algorithm, type, and description to suggest relevant labels (e.g. 'production', 'signing', 'pqc'). Suggestions are shown as dashed pills that you can accept or reject individually.
What does 'Set as default' do?
The default key is automatically used when an API request does not specify a keyId. Only one key per type (encryption, signing, HMAC) can be the default at any time.
Can I recover a key that is pending deletion?
Yes, during the grace period you can cancel the scheduled deletion from the key detail page. Once the deletion date passes and the key is destroyed, recovery is impossible.
When should I use HMAC keys?
Use HMAC keys for verifying data integrity and authenticity: API request signing, webhook payload verification, session token validation, and file integrity checks. HMAC is faster than asymmetric signatures.
Related documentation
Encryption Keys
Detailed documentation for encryption key types, algorithms, and lifecycle.
Encrypt / Decrypt
API reference for encrypt, decrypt, sign, and verify operations.
Transit Engine
Encryption-as-a-service without storing keys locally.
Cloud KMS Auto-Sync
Export and sync keys to Azure, AWS, GCP, and Scaleway KMS.
API Keys
Manage API keys for programmatic access to QuantumVault.
Resource Groups
Organise keys into groups for unified access control.