Encryption at Rest

Qpher encrypts all PQC private keys before writing them to disk. Even if an attacker gains access to the storage volume, they cannot read the private keys without the Key Encryption Key (KEK).

The Double Encryption Model

Your private keys are protected by two layers of encryption:

                 Layer 1: PQC Key Generation
                 +---------------------------+
                 |  Kyber768 or Dilithium3    |
                 |  generates a key pair      |
                 |                            |
                 |  Public Key  -> returned   |
                 |  Private Key -> Layer 2    |
                 +-------------+-------------+
                               |
                               v
                 Layer 2: AES-256-GCM Encryption
                 +---------------------------+
                 |  private_key_bytes         |
                 |       +                    |
                 |  Key Encryption Key (KEK)  |
                 |       +                    |
                 |  Random 12-byte IV         |
                 |       =                    |
                 |  IV + AES-GCM ciphertext   |
                 |       -> written to disk   |
                 +---------------------------+

Only the KMS-Orchestrator can reverse this process. It loads the KEK from memory, reads the encrypted file, and decrypts the private key just long enough to perform the requested cryptographic operation.

AES-256-GCM

Qpher uses AES-256-GCM (Galois/Counter Mode) for encrypting private keys at rest.

Property	Value
Algorithm	AES-256-GCM
Key size	256 bits (32 bytes)
IV size	96 bits (12 bytes), unique per key file
Authentication	Built-in (GCM provides integrity and authenticity)
Storage format	IV (12 bytes) followed by ciphertext (variable length)

GCM is an authenticated encryption mode, which means it protects both confidentiality and integrity. If anyone tampers with an encrypted key file, the decryption will fail with an authentication error rather than producing corrupted output.

ℹ️Why AES-256-GCM?

AES-256-GCM is widely considered quantum-resistant for symmetric encryption. While Grover's algorithm could theoretically reduce the effective key strength to 128 bits, 128-bit security remains far beyond practical attack capabilities.

Key Encryption Key (KEK)

The KEK is the master key that protects all private keys on disk.

Property	Requirement
Format	64-character hexadecimal string (256 bits)
Source (production)	Secrets manager (AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager)
Source (development)	Environment variable QPHER_KEY_ENCRYPTION_KEY
Access	Only the KMS-Orchestrator process
Rotation	Requires re-encrypting all stored private keys

KEK Security

The KEK is loaded into the KMS-Orchestrator's memory at startup. It is never written to disk in plaintext, never logged, and never transmitted over the network.

⚠️KEK Protection

The KEK is the root of trust for all private keys. If it is compromised, an attacker with access to the encrypted key files could decrypt them. Use a dedicated secrets manager in production and restrict access to the KMS-Orchestrator service account only.

How Decryption Works

When a cryptographic operation requires a private key (for example, decrypting a ciphertext or signing a message), the KMS-Orchestrator performs these steps:

1. Look up the key record in the database to find the private_key_handle (file path).
2. Verify the key's status allows the requested operation (active or retired).
3. Read the encrypted key file from disk.
4. Split the file contents into the IV (first 12 bytes) and the AES-GCM ciphertext.
5. Decrypt using the KEK and the IV.
6. Perform the requested PQC operation (decapsulate or sign) with the decrypted private key.
7. Return only the operation result (plaintext or signature) to the caller.
8. The decrypted private key exists only in memory for the duration of the operation.

File Storage Layout

/var/lib/qpher/keys/
  {tenant-id-1}/
    Kyber768/
      1.key          <-- AES-256-GCM encrypted (version 1)
      2.key          <-- AES-256-GCM encrypted (version 2)
    Dilithium3/
      1.key          <-- AES-256-GCM encrypted (version 1)
  {tenant-id-2}/
    ...

• Each tenant has an isolated directory.
• Each algorithm has a subdirectory.
• Each key version is a separate encrypted file.
• Directory permissions: 700 (owner only).
• File permissions: 600 (owner read/write only).

Tamper Detection

Because AES-256-GCM provides authenticated encryption, any modification to an encrypted key file is detected immediately. If a file has been tampered with:

• The GCM authentication tag verification fails.
• The KMS-Orchestrator refuses to use the key.
• An error is returned to the caller, and an audit event is logged.

This prevents an attacker from silently replacing a key file with a key they control.