A Kubernetes operator for post-quantum cryptography providing custom resource definitions (CRDs) and controllers for quantum-safe key generation, key encapsulation, key derivation, and certificate management.

QubeSec leverages liboqs and OpenSSL with oqs-provider to integrate post-quantum cryptographic algorithms into Kubernetes. All cryptographic operations are automated through custom controllers that orchestrate the NIST-standardized quantum-safe algorithms (Kyber, Dilithium, etc.). For broader ecosystem context, see the Open Quantum Safe project and the Post-Quantum Cryptography Alliance.

• Quantum-Safe Key Generation: Generate Kyber KEM keypairs and Dilithium/Falcon/SPHINCS+ signature keypairs
• Key Encapsulation: Derive shared secrets using KEM encapsulation from public keys
• Key Decapsulation: Recover shared secrets using KEM decapsulation with private key and ciphertext
• Key Derivation: Generate AES-256 keys from shared secrets using HKDF-SHA256
• Quantum Signatures: Sign messages and verify signatures with post-quantum algorithms (ML-DSA, SLH-DSA)
• Quantum Certificates: Create X.509 certificates with post-quantum algorithms
• Random Number Generation: Generate cryptographically secure random bytes via liboqs (system or OpenSSL oqs-provider)
• Secure Secret Storage: All keys stored as raw binary data in Kubernetes Secrets
• Key Fingerprinting: SHA256 fingerprints for keys, messages, and secrets for verification without exposing material
• Ciphertext Bridging: Decapsulation can pull ciphertext directly from a referenced QuantumEncapsulateSecret status
• Automated Workflows: Chainable controllers (KEM → Shared Secret → Derived Key)

• Key Encapsulation: Kyber512/768/1024 (ML-KEM - NIST-standardized post-quantum KEM)
• Digital Signatures: Dilithium2/3/5 (ML-DSA), Falcon512/1024, SPHINCS+-SHA2 (NIST post-quantum signatures)

Governments and cybersecurity agencies worldwide have issued official guidance directing organizations to begin migrating to post-quantum cryptography. Below are key authoritative documents:

1. White House / OMB — Memorandum M-23-02 (November 2022)

   • Formal U.S. government memo instructing federal agencies to prepare and begin migration planning to post-quantum cryptography

2. CISA / NSA / NIST — Quantum Readiness Resource (August 2023)

   • Joint playbook recommending organizations start now with inventory, vendor engagement, and roadmap planning

3. NIST — IR 8547: Transition to Post-Quantum Cryptography Standards (November 2024)

   • Technical guidance on transitioning from vulnerable algorithms to NIST-standardized PQC algorithms

4. UK NCSC — Next Steps in Preparing for Post-Quantum Cryptography (August 2024)

   • Explicit timelines and migration steps for UK organizations with concrete deadlines

5. ENISA — Post-Quantum Cryptography Reports (May 2021)

   • EU-level guidance on migration planning and readiness for member states

6. DoD / NSA — CNSA Suite 2.0 (December 2024)

   • Defense-grade requirements for quantum-resistant algorithms in national security systems

7. India TEC — Migration to Post-Quantum Cryptography (January 2025)

   • National technical guidance for critical infrastructure quantum-safe measures

• ARCHITECTURE.md - System architecture and design patterns
• SETUP.md - Complete installation and operation guide