Crypto Agility and PQC
Fit today: Good (framework) — provider abstraction and rotation protocol shipped; PQC algorithms not ready.
Organizations preparing for algorithm migration — NIST PQC timeline, security incidents, or FIPS transitions.
How KeyRack helps
Section titled “How KeyRack helps”Algorithm abstraction
Section titled “Algorithm abstraction”KeyRack’s key_spec model abstracts the algorithm:
{"key_spec": "AES_256", "description": "user-data-dek"}When a new algorithm is available (e.g. ML-KEM_768), create new keys with the new spec and use the rotation protocol to re-wrap existing data. Application code calls encrypt/decrypt — KeyRack handles which algorithm to use.
Centralized key inventory
Section titled “Centralized key inventory”Answer questions like “How many RSA-2048 keys do we have?” or “Which services depend on this key?” from KeyRack’s dependency graph.
Provider-level agility
Section titled “Provider-level agility”Switch from software to PKCS#11 to KMIP without changing application code. Multi-provider routing supports gradual backend migration.
Cooperative rotation
Section titled “Cooperative rotation”The rotation protocol coordinates re-wrapping across services without downtime.
PQC status (honest)
Section titled “PQC status (honest)”The architecture supports crypto agility. Post-quantum algorithms are not shipped yet. The framework is PQC-ready; delivering ML-KEM and related algorithms depends on ecosystem maturity and NIST finalization.
Worth positioning now; deliver when algorithms are production-ready.
Related
Section titled “Related”- Brownfield migration — algorithm migration is a separate axis from caller migration
- Security model — algorithm choices and FIPS boundary