Key Management
QuantumSafe uses a Bring Your Own Key (BYOK) model. PQC key pairs are generated locally on your device, and only the public key is registered with QuantumSafe. Your private key never leaves your environment.
QuantumSafe is built on current NIST-standardized algorithms and does not guarantee absolute security. This is a quantum-readiness tool, not a quantum-proof solution.
How BYOK Works
Key Generation
The SDK generates keys entirely on the client side using a cryptographically secure random number generator (CSPRNG):
const keypair = await qs.keys.generate({
algorithm: "ml-dsa-65", // ML-DSA-65 recommended
chain: "ethereum",
format: "hex",
});
// keypair.publicKey — safe to register with API
// keypair.privateKey — NEVER share or transmit this
TypeScript SDK: Uses crypto.getRandomValues() (Web Crypto API). The use of Math.random() is explicitly banned and will throw an error.Python SDK: Uses the secrets module backed by os.urandom(). The random module is never used for key material.
What the Server Stores
When you register a key, QuantumSafe stores:
| Field | Stored | Description |
|---|
| Public key | Yes | Used for signature verification |
| Algorithm | Yes | e.g., ml-dsa-65 |
| Chain | Yes | e.g., ethereum |
| Key ID | Yes | Unique identifier |
| Private key | No | Never transmitted, never stored |
Private Key Responsibility
Since QuantumSafe never stores your private key:
- You are responsible for secure storage of your private key
- There is no recovery mechanism — if you lose your private key, you cannot sign with that key pair
- Store private keys in an HSM, secure enclave, or encrypted key store
- Never store private keys in plain text, environment variables, or version control
Consider using platform-specific secure storage: AWS KMS, Azure Key Vault, GCP Cloud KMS, or hardware security modules (HSMs) for production deployments.
Custody Roadmap
| Mode | Version | Description |
|---|
| BYOK | v1.0 (current) | Client-side key generation. Full user control. |
| Managed | v1.5 (planned) | Optional server-side key management via KMS integration. |
| Threshold | v2.0 (planned) | Multi-party computation for shared custody. |
