PKI & Cipher
Encryption-as-a-Service with AES-256-GCM and ChaCha20-Poly1305. Private X.509 certificate authority with CRL distribution and RFC 6960 OCSP responder. Enterprise-grade cryptography as an API.
Encryption without building infrastructure
Full envelope encryption API. Generate data keys, encrypt locally, wrap with master keys stored in your KMS or HSM.
Envelope Encryption
Generate a data key, encrypt data locally with AES-256-GCM, wrap the data key with your master key. Standard pattern for encrypting large payloads.
AES-256-GCM
Authenticated encryption with associated data (AEAD). 256-bit keys. NIST SP 800-38D compliant. Hardware-accelerated via AES-NI on modern CPUs.
ChaCha20-Poly1305
High-performance stream cipher with Poly1305 MAC. Constant-time implementation. Ideal for mobile, embedded, and software-only environments without AES-NI.
Data Key Operations
Generate, encrypt, decrypt, and rewrap data keys. Full key lifecycle management with automatic rotation and policy-controlled expiration.
Signing & HMAC
Generate digital signatures with RSA-4096 + ML-DSA-65 hybrid scheme. Create and verify HMAC with SHA-256, SHA-384, or SHA-512 for message authentication.
Random Bytes & Hashing
Cryptographically secure random byte generation with configurable entropy sources. SHA-256, SHA-384, and SHA-512 hashing with streaming support.
Simple API. Strong cryptography.
Encrypt and decrypt in three API calls. No need to manage cipher suites, IVs, or key wrapping yourself.
Private certificate authority as a service
Run your own internal CA for mTLS, code signing, and service identity. Full certificate lifecycle management with automated renewal.
Root CA Generation
Create a private certificate authority with RSA-4096 or ML-DSA-65 keys. Self-signed root certificate with configurable validity period and extensions.
Certificate Issuance
Issue X.509 v3 certificates for servers, clients, code signing, and mutual TLS. Full control over subject, SANs, key usage, and extended key usage.
CSR Signing
Accept PKCS#10 certificate signing requests from your infrastructure. Automated validation and issuance pipeline integrated with your existing tooling.
Certificate Revocation & CRL
Revoke certificates immediately. Generate and publish Certificate Revocation Lists (RFC 5280). Configurable CRL update intervals and delta CRLs.
OCSP Responder
RFC 6960 Online Certificate Status Protocol responder. Real-time certificate status checks without downloading CRLs. Signed OCSP responses with nonce support.
Certificate Renewal
Automated certificate renewal before expiry. Policy-controlled renewal windows with configurable overlap periods for zero-downtime rotation.
Not a public certificate authority
QuantumLock PKI operates as a private/internal CA for your organization. It does not replace a qualified trust service provider (QTSP) or public CA like Let's Encrypt, DigiCert, or Sectigo. Certificates issued by QuantumLock PKI are trusted within your infrastructure but are not publicly trusted by browsers or operating systems unless you distribute your root CA certificate.
NIST-standardized algorithms
All Cipher and PKI operations support NIST FIPS 203, 204, and 205 post-quantum algorithms.
| Algorithm | Standard | Level | Use |
|---|---|---|---|
| ML-DSA-65 | FIPS 204 | 3 | Primary PQC signature |
| ML-DSA-87 | FIPS 204 | 5 | High-security PQC |
| ML-KEM-768 | FIPS 203 | 3 | Key encapsulation |
| SLH-DSA-SHAKE-256S | FIPS 205 | 5 | Conservative backup |
| Hybrid RSA+ML-DSA | Proprietary | Defense-in-depth | Dual validation |
Ready to use Cipher and PKI APIs?
Request API access and start encrypting, signing, and issuing certificates today.
Cryptographic service updates
Get Cipher API changelog, PKI enhancements, and new algorithm support notifications.