Overview
KMS Managed mode stores your PQC private keys in AWS KMS hardware security modules. Keys are non-exportable — they never leave the HSM.
KMS Managed Keys require Pro plan ($499/mo) or above.
Quick Start
1. Create a KMS Key
curl -X POST https://api.qsafe.dev/v1/keys/generate \
-H "X-API-Key: qs_sec_live_..." \
-H "Content-Type: application/json" \
-d '{
"algorithm": "ml-dsa-65",
"chain": "ethereum",
"custody": "managed"
}'
2. Sign a Message
curl -X POST https://api.qsafe.dev/v1/sign/managed \
-H "X-API-Key: qs_sec_live_..." \
-H "Content-Type: application/json" \
-d '{
"key_id": "arn:aws:kms:us-east-1:...",
"message": "hello quantum world",
"algorithm": "ml-dsa-65"
}'
3. Verify the Signature
curl -X POST https://api.qsafe.dev/v1/verify \
-H "X-API-Key: qs_sec_live_..." \
-H "Content-Type: application/json" \
-d '{
"public_key": "arn:aws:kms:us-east-1:...",
"message": "hello quantum world",
"signature": "624d9e92...",
"algorithm": "ml-dsa-65"
}'
Supported Algorithms
| Algorithm | NIST Level | AWS KMS | Recommended |
|---|
| ML-DSA-44 | 2 | ✓ | General use |
| ML-DSA-65 | 3 | ✓ | Default |
| ML-DSA-87 | 5 | ✓ | High security |
| SLH-DSA | 1 | ✗ BYOK only | Hash-based |
SLH-DSA and FN-DSA keys created in BYOK mode cannot be migrated to KMS Managed mode.
Choose ML-DSA if you plan to upgrade to Managed later.
BYOK vs Managed
| Feature | BYOK (v1) | Managed (v1.5) |
|---|
| Key Location | Your device | AWS KMS HSM |
| Security Level | Software | FIPS 140-3 Level 3 |
| Private Key Access | You control | Non-exportable |
| Cost | Free | 1/key/mo+0.15/10K ops |
| Plan Required | Free+ | Pro+ |
| Algorithms | All | ML-DSA only |
Cost
- $1 per key per month
- $0.15 per 10,000 signing operations
- Verification is free (uses public key locally)
Key Deletion
KMS keys have a minimum 7-day deletion waiting period (AWS requirement). During this period, the key cannot be used for signing but deletion can be cancelled.
