Product

PQ Vault

Quantum-safe key management and encrypted secret storage for your infrastructure. Protect sensitive data against harvest-now-decrypt-later attacks today.

Request Early AccessView Docs
Features

Everything you need for PQ key management

PQ Vault replaces or wraps your existing key management with quantum-resistant encryption — no application changes required.

🔐

ML-KEM Encryption

All secrets are encrypted with ML-KEM-768 (FIPS 203), the NIST-standardized post-quantum key encapsulation mechanism. Even with a quantum computer, your data stays safe.

🔑

Hybrid Key Wrapping

Wrap existing AES-256 or RSA keys with a hybrid classical + PQ envelope. Backward-compatible with your current KMS while adding quantum protection.

📋

Secret Versioning

Every secret update creates a new version with full audit trail. Roll back instantly. Automatic key rotation on configurable schedules.

🛡️

Access Policies

Fine-grained access control per secret, per environment. Integrates with your existing IAM — OIDC, SAML, and service account tokens.

☁️

Cloud KMS Integration

Works alongside AWS KMS, Azure Key Vault, and GCP Cloud KMS. PQ Vault adds quantum-safe wrapping on top of your existing infrastructure.

👁️

Zero-Knowledge Architecture

PostQ never sees your plaintext secrets. Encryption and decryption happen client-side. We only store ciphertext.

Developer Experience

Simple API, quantum-grade security

import { PQVault } from "@postq/vault";

const vault = new PQVault({
  endpoint: "https://vault.postq.dev",
  token: process.env.POSTQ_VAULT_TOKEN,
});

// Store a secret — encrypted client-side with ML-KEM-768
await vault.put("database/prod/password", {
  value: "s3cret!",
  metadata: { rotation: "30d" },
});

// Retrieve — decrypted client-side
const secret = await vault.get("database/prod/password");
console.log(secret.value); // "s3cret!"
Architecture

How PQ Vault protects your secrets

1

Client encrypts

Your application generates an ML-KEM-768 shared secret and encrypts the payload with AES-256-GCM locally.

2

Ciphertext stored

Only the encrypted blob is sent to PQ Vault. Access policies, versioning, and audit logs are managed server-side.

3

Client decrypts

On retrieval, the ciphertext is decapsulated client-side using your private ML-KEM key. PostQ never sees plaintext.

Protect your secrets for the quantum era

PQ Vault is currently in early access. Request access to start protecting your most sensitive data with quantum-safe encryption.

Request Early AccessView All Products