Introducing The Quantum Infrastructure Cloud
QuantumLock

BYOC & KMS

Keep your private keys in your own cloud or hardware security module. QuantumLock orchestrates cryptographic operations without ever accessing your key material.

Schedule Architecture ReviewView Security Whitepaper
Keys never leave your boundaryFIPS 140-2 / 140-3 HSM supportAir-gapped HSM mode available

Separation of policy from custody

QuantumLock decides which algorithm to use and when to sign. Your KMS or HSM stores the keys and executes the cryptographic operations.

Your Application

Calls QuantumLock SDK or API to request signatures, encryption, or key operations.

QuantumLock (Policy)

Decides algorithm, key ID, signing parameters, and lifecycle rules. Routes operations to your KMS.

Your KMS (Custody)

Stores private keys. Executes cryptographic operations. Keys never leave your secure boundary.

Supported Providers

Four ways to own your keys

Each provider integrates through its native SDK. You control the cloud account, IAM, billing, and key material.

AWS KMS

Use your own AWS KMS keys. QuantumLock orchestrates cryptographic operations via AWS SDK. Supports AWS CloudHSM for hardware-backed keys.

  • Symmetric and asymmetric keys
  • Multi-region key support
  • Automatic key rotation
  • AWS CloudHSM integration

Azure Key Vault

Keep keys in your Azure Key Vault or Azure Managed HSM. QuantumLock communicates via Azure SDK with managed identity authentication.

  • Azure Key Vault Standard/Premium
  • Azure Managed HSM (FIPS 140-2 Level 3)
  • Soft-delete and purge protection
  • RBAC via Azure AD

GCP Cloud KMS

Your keys, your Google Cloud project. QuantumLock integrates via GCP Cloud KMS API with service account authentication.

  • Software and hardware (Cloud HSM) key protection
  • Global, regional, and regional-level key rings
  • Automatic and on-demand key rotation
  • IAM-based access control

PKCS#11 HSM

Connect your hardware security module via standard PKCS#11 (RFC 7512). Keys are generated and used inside the HSM and never leave the device.

  • Thales Luna / ProtectServer
  • Entrust nShield
  • Utimaco CryptoServer
  • YubiHSM 2
Sovereign Cloud

Deploy in European sovereign infrastructure

For organizations that require data residency, regulatory compliance, or sovereign cloud mandates.

OVHcloud
France / Europe
Scaleway
France / Europe
Outscale (SecNumCloud)
France
T-Systems / Open Telekom Cloud
Germany
IONOS Cloud
Germany / Europe
Elastx
Sweden
Air-Gapped Mode

Zero network. Maximum security.

For defense, national security, and critical infrastructure deployments. QuantumLock runs fully offline with keys delivered as a physical package. No external API calls at any time.

Docker image + keys delivered as offline package
License validation via offline SDK with local revocation list
Local KMS for cryptographic operations. PKCS#11 HSM optional.

Shared Responsibility Model

Clear separation between what SoftQuantus manages and what your organization controls.

Security LayerSoftQuantusYour Organization
Policy engine (algorithms, lifecycle rules)ResponsibleNot applicable
KMS provider integration (SDK calls, routing)ResponsibleNot applicable
API and Trust Console availabilityResponsibleNot applicable
Private key materialNot applicableResponsible
HSM hardware procurement and physical securityNot applicableResponsible
Cloud account, billing, and IAMNot applicableResponsible
API key management and scope assignmentResponsibleResponsible
Audit log retention and SIEM configurationResponsibleResponsible

Own your keys. Control your security posture.

Schedule a BYOC architecture review. Our team maps QuantumLock to your existing KMS infrastructure.

Schedule Architecture ReviewDownload Security Whitepaper
Back to QuantumLock

Enterprise KMS and security updates

Get BYOC integration guides, HSM compatibility updates, and security best practices.