Post-Quantum Cryptographic Secrets Vault
PQC Production-Ready | Rust 1.75+ | Cedar ABAC | 50+ TestsPost-Quantum Secrets Vault for Modern Infrastructure
Production-ready ML-KEM-768 + ML-DSA-65 with Cedar policy authorization, pluggable crypto backends, and multi-cloud storage. Deploy post-quantum cryptography today. One config line to enable PQC. No code changes.
Why SecretumVault
The Problem
Current encryption will be broken by quantum computers. Most secret vaults have no PQC migration path. Cloud KMS vendors lock you in. Policy languages are proprietary and ACL-based.
The Solution
Cryptographic agility through pluggable backends. ML-KEM-768 + ML-DSA-65 work today via OQS. Cedar policies are portable. Multi-cloud storage prevents lock-in. Switch backends via config — no recompilation.
Core Capabilities
Post-Quantum Cryptography
ML-KEM-768 (FIPS 203) key encapsulation and ML-DSA-65 (FIPS 204) digital signatures via OQS. NIST compliance verified. Hybrid classical+PQC mode in development.
Secrets Engines
KV (versioned), Transit (encryption-as-a-service), PKI (X.509 certificates), Database (dynamic credentials for PostgreSQL, MySQL, MongoDB). Extensible via trait.
Multi-Backend Storage
etcd (distributed HA), SurrealDB (document + graph with MVCC), PostgreSQL (ACID), filesystem (dev/test). Pluggable via StorageBackend trait.
Cedar Authorization
AWS Cedar policy language for attribute-based access control. Context-aware decisions: IP allowlisting, time-based access, environment constraints. Policy-as-Code.
Cloud-Native
Kubernetes-ready with Helm charts. Docker multi-stage builds (<50MB). Prometheus metrics, structured logging with correlation IDs. NATS event bus for lifecycle notifications.
Enterprise Ready
TLS/mTLS, Shamir Secret Sharing (2-of-3, 3-of-5), token management with TTL/renewal/revocation, full audit logging for SOC2/GDPR/HIPAA compliance.
Technology Stack
Deploy post-quantum cryptography today
Rust-native | Apache 2.0 | Self-Hosted | Multi-Cloud