Non-Exportable Keys
Your PQC private keys are the most sensitive assets in Qpher. A leaked private key would allow an attacker to decrypt your ciphertexts or forge signatures in your name. That is why Qpher follows the same principle used by AWS KMS, Azure Key Vault, and hardware security modules: private keys never leave the secure boundary.
There is no API endpoint to retrieve private keys — by design.
How It Works​
When you generate a PQC key pair through Qpher, the following happens:
- Key generation occurs inside the KMS-Orchestrator service.
- The public key is returned to you and stored in the database. You can retrieve it at any time.
- The private key is encrypted with AES-256-GCM and written to disk inside the KMS-Orchestrator's secure storage.
- The database stores only a handle (a file path reference), never the raw key bytes.
You receive: Stored in KMS-Orchestrator:
+--------------------------+ +----------------------------------+
| Public Key | | Encrypted Private Key |
| (1184 bytes | | AES-256-GCM(private_key) |
| for Kyber768) | | Stored on disk as .key file |
+--------------------------+ +----------------------------------+
|
Database stores only:
"handle" = file path reference
No Export API​
Qpher intentionally provides no endpoint for downloading or exporting private keys. This is not a missing feature -- it is a deliberate security decision.
| Operation | Available? | How It Works |
|---|---|---|
| Generate key pair | Yes | Private key created and stored inside KMS-Orchestrator |
| Get public key | Yes | Public key returned from the database |
| Get private key | No | No such endpoint exists |
| Export private key | No | No such endpoint exists |
| Encrypt / Decrypt | Yes | KMS-Orchestrator performs the operation using the private key internally |
| Sign / Verify | Yes | KMS-Orchestrator performs the operation using the private key internally |
Server-Side Cryptographic Operations​
Since you cannot download private keys, all cryptographic operations that require a private key happen inside Qpher:
- Decrypt: You send the ciphertext to Qpher. The KMS-Orchestrator loads the private key, performs Kyber768 decapsulation, and returns the plaintext.
- Sign: You send the message to Qpher. The KMS-Orchestrator loads the private key, performs Dilithium3 signing, and returns the signature.
Operations that use only the public key (encrypt, verify) can also be performed client-side if you prefer, since public keys are freely available.
You can verify signatures locally using the public key and any Dilithium3 implementation. This is useful when you want to verify data integrity without making an API call.
Private Key Storage Details​
Private keys on disk are protected by multiple layers:
- Encryption: AES-256-GCM authenticated encryption. Each key file has a unique initialization vector (IV).
- File permissions:
600(read/write for the KMS-Orchestrator process user only). - Directory permissions:
700(access for the owner only). - Key Encryption Key (KEK): The master key used to encrypt private keys is stored in a dedicated secrets manager (AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager in production).
For more details on the encryption scheme, see Encryption at Rest.
Key Lifecycle Respect​
The non-exportable rule applies across the entire key lifecycle:
| Key Status | Can Load Private Key? | Allowed Operations |
|---|---|---|
| Active | Yes (internally only) | Encrypt, decrypt, sign, verify |
| Retired | Yes (internally only) | Decrypt, verify only |
| Archived | No | No operations allowed |
Even when a key is active, only the KMS-Orchestrator can load and use it. No other service in the Qpher platform has access to the raw key material.
Why This Matters​
This design eliminates entire categories of risk:
- No key exfiltration: Even if an attacker compromises another service (KEM Service, Signature Service, API Gateway), they cannot extract private keys because those services never have access to them.
- No accidental exposure: Private keys cannot appear in logs, error messages, API responses, or database dumps.
- Auditability: Every use of a private key is logged. You always know when and why a key was used, because every usage goes through the KMS-Orchestrator API.