Enable Quantum-Safe Encryption
Configure post-quantum cryptography for your existing protocol traffic. Choose algorithm profiles, set up hybrid encryption, and verify quantum resistance with NIST-approved algorithms.
Prerequisites
- QBITEL Bridge running (see Discover a Legacy Protocol)
- Basic understanding of TLS and key exchange concepts
- OpenSSL 3.x installed (for verification steps)
Available Algorithm Profiles
QBITEL Bridge supports multiple NIST-standardized post-quantum algorithms. Choose a profile based on your security and performance requirements.
| Profile | KEM Algorithm | Signature | Security Level |
|---|---|---|---|
standard | ML-KEM-768 | ML-DSA-65 | NIST Level 3 |
high | ML-KEM-1024 | ML-DSA-87 | NIST Level 5 |
hybrid | ML-KEM-768 + X25519 | ML-DSA-65 + Ed25519 | Level 3 + Classical |
Configure the PQC Profile
Update your QBITEL Bridge configuration to enable post-quantum cryptography. The hybrid profile is recommended for production because it provides quantum resistance while maintaining backward compatibility with classical TLS clients.
# config/qbitel.yaml
pqc:
enabled: true
profile: hybrid
kem_algorithm: ML-KEM-768
signature_algorithm: ML-DSA-65
classical_fallback:
kem: X25519
signature: Ed25519
key_rotation_interval: 24h
tls:
min_version: "TLSv1.3"
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256Generate PQC Key Pairs
Use the QBITEL CLI to generate the hybrid key pairs that the data plane will use for key encapsulation and message signing.
# Generate hybrid key pair (PQC + classical)
curl -X POST http://localhost:8000/api/v1/pqc/keygen \
-H "Content-Type: application/json" \
-d '{
"profile": "hybrid",
"label": "production-primary",
"store_in_vault": true
}'
# Response
{
"key_id": "pqc_key_01HXYZ...",
"algorithm": "ML-KEM-768+X25519",
"public_key_fingerprint": "SHA256:Qf8k...",
"created_at": "2025-01-15T10:30:00Z",
"rotation_due": "2025-01-16T10:30:00Z"
}Enable PQC on the Data Plane
Apply the PQC configuration to the Rust data plane. This wraps all protocol traffic in a quantum-safe envelope without modifying the original protocol behavior.
# Apply PQC to a specific protocol channel
curl -X PUT http://localhost:8000/api/v1/channels/ch_legacy9100/security \
-H "Content-Type: application/json" \
-d '{
"pqc_enabled": true,
"key_id": "pqc_key_01HXYZ...",
"encrypt_payload": true,
"sign_messages": true,
"classical_fallback": true
}' Note: With classical_fallback: true, clients that do not support PQC will still connect using classical X25519 key exchange. This ensures zero downtime during migration.
Test Hybrid Encryption
Verify that traffic is being encrypted with the hybrid PQC scheme. The test endpoint performs a round-trip encapsulation and decapsulation.
# Run the PQC self-test
curl -X POST http://localhost:8000/api/v1/pqc/test \
-H "Content-Type: application/json" \
-d '{ "key_id": "pqc_key_01HXYZ..." }'
# Expected response
{
"status": "passed",
"kem_encapsulation": "success",
"kem_decapsulation": "success",
"signature_sign": "success",
"signature_verify": "success",
"latency_overhead_ms": 2.3,
"key_size_bytes": 1184,
"ciphertext_size_bytes": 1088
}Monitor PQC Metrics
Check the Grafana dashboard to monitor PQC performance in production. Key metrics include encapsulation latency, key rotation events, and fallback rates.
# Query PQC metrics via Prometheus
curl -s http://localhost:9091/api/v1/query?query=qbitel_pqc_encapsulation_duration_seconds
# Check the ratio of PQC vs classical connections
curl -s http://localhost:9091/api/v1/query?query=qbitel_pqc_connections_totalWhat's next? Once PQC is active, enable automatic key rotation in production. You can also combine PQC with the compliance engine to generate evidence for NIST and FedRAMP audits.
Protect Your Infrastructure from Quantum Threats
QBITEL Bridge makes post-quantum cryptography accessible today, before quantum computers arrive.