<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 -->
<p>Post-quantum cryptography (PQC) addresses the threat that quantum computers pose to current cryptographic systems. Geode implements a comprehensive post-quantum preparedness strategy that protects sensitive graph data against both current and future threats. By combining strong symmetric encryption, mandatory forward secrecy, and cryptographic agility, Geode ensures your data remains secure even as quantum computing advances.</p>
<h3 id="the-quantum-threat" class="position-relative d-flex align-items-center group">
<span>The Quantum Threat</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="the-quantum-threat"
aria-haspopup="dialog"
aria-label="Share link: The Quantum Threat">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script>
<h4 id="understanding-quantum-computing-risks" class="position-relative d-flex align-items-center group">
<span>Understanding Quantum Computing Risks</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="understanding-quantum-computing-risks"
aria-haspopup="dialog"
aria-label="Share link: Understanding Quantum Computing Risks">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Current asymmetric cryptography (RSA, ECC) relies on mathematical problems that quantum computers can solve efficiently:</p>
<table>
<thead>
<tr>
<th>Algorithm</th>
<th>Classical Security</th>
<th>Quantum Attack</th>
<th>Threat Level</th>
</tr>
</thead>
<tbody>
<tr>
<td>RSA-2048</td>
<td>112-bit</td>
<td>Shor’s Algorithm</td>
<td>Critical</td>
</tr>
<tr>
<td>ECDSA P-256</td>
<td>128-bit</td>
<td>Shor’s Algorithm</td>
<td>Critical</td>
</tr>
<tr>
<td>ECDH/X25519</td>
<td>128-bit</td>
<td>Shor’s Algorithm</td>
<td>Critical</td>
</tr>
<tr>
<td>AES-256</td>
<td>256-bit</td>
<td>Grover’s Algorithm</td>
<td>Manageable (128-bit)</td>
</tr>
<tr>
<td>SHA-256</td>
<td>256-bit</td>
<td>Grover’s Algorithm</td>
<td>Manageable (128-bit)</td>
</tr>
</tbody>
</table>
<p><strong>Key insight</strong>: Symmetric cryptography (AES) and hash functions (SHA) remain relatively secure against quantum attacks, but asymmetric cryptography used for key exchange and signatures is vulnerable.</p>
<h4 id="store-now-decrypt-later-sndl" class="position-relative d-flex align-items-center group">
<span>Store Now, Decrypt Later (SNDL)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="store-now-decrypt-later-sndl"
aria-haspopup="dialog"
aria-label="Share link: Store Now, Decrypt Later (SNDL)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>The most immediate quantum threat is the “harvest now, decrypt later” attack:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Current Reality:
</span></span><span class="line"><span class="cl"> 1. Adversary records encrypted network traffic
</span></span><span class="line"><span class="cl"> 2. Traffic encrypted with classical cryptography
</span></span><span class="line"><span class="cl"> 3. Storage is cheap - bulk collection is feasible
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Future Scenario:
</span></span><span class="line"><span class="cl"> 1. Cryptographically relevant quantum computer (CRQC) becomes available
</span></span><span class="line"><span class="cl"> 2. Adversary decrypts historical traffic
</span></span><span class="line"><span class="cl"> 3. Sensitive data exposed years after transmission
</span></span></code></pre></div>
<h3 id="geodes-post-quantum-strategy" class="position-relative d-flex align-items-center group">
<span>Geode&rsquo;s Post-Quantum Strategy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="geodes-post-quantum-strategy"
aria-haspopup="dialog"
aria-label="Share link: Geodes Post-Quantum Strategy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="layer-1-strong-symmetric-encryption" class="position-relative d-flex align-items-center group">
<span>Layer 1: Strong Symmetric Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="layer-1-strong-symmetric-encryption"
aria-haspopup="dialog"
aria-label="Share link: Layer 1: Strong Symmetric Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>AES-256 provides post-quantum security for data at rest and in transit:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">encryption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">at_rest</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="s2">"aes-256-gcm"</span><span class="w"> </span><span class="c"># 128-bit post-quantum security</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_size</span><span class="p">:</span><span class="w"> </span><span class="m">256</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cipher_suites</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_AES_256_GCM_SHA384</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_CHACHA20_POLY1305_SHA256</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="layer-2-mandatory-forward-secrecy" class="position-relative d-flex align-items-center group">
<span>Layer 2: Mandatory Forward Secrecy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="layer-2-mandatory-forward-secrecy"
aria-haspopup="dialog"
aria-label="Share link: Layer 2: Mandatory Forward Secrecy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Forward secrecy limits the value of future key compromise:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">min_version</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.3"</span><span class="w"> </span><span class="c"># Forward secrecy required</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">session_resumption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ticket_lifetime</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w"> </span><span class="c"># Short ticket lifetime</span><span class="w">
</span></span></span></code></pre></div><p><strong>Why this matters</strong>: Even if a future quantum computer breaks the key exchange algorithm, past symmetric session keys were never transmitted and remain protected.</p>
<h4 id="layer-3-cryptographic-agility" class="position-relative d-flex align-items-center group">
<span>Layer 3: Cryptographic Agility</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="layer-3-cryptographic-agility"
aria-haspopup="dialog"
aria-label="Share link: Layer 3: Cryptographic Agility">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode’s architecture supports algorithm updates without major changes:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cryptography</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">agility</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_exchange</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">preferred</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"ML-KEM-768"</span><span class="w"> </span><span class="c"># Post-quantum (when available)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"X25519"</span><span class="w"> </span><span class="c"># Classical fallback</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hybrid_mode</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="nist-post-quantum-standards" class="position-relative d-flex align-items-center group">
<span>NIST Post-Quantum Standards</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="nist-post-quantum-standards"
aria-haspopup="dialog"
aria-label="Share link: NIST Post-Quantum Standards">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="selected-algorithms" class="position-relative d-flex align-items-center group">
<span>Selected Algorithms</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="selected-algorithms"
aria-haspopup="dialog"
aria-label="Share link: Selected Algorithms">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Key Encapsulation (Key Exchange)</strong>:</p>
<table>
<thead>
<tr>
<th>Standard</th>
<th>Algorithm</th>
<th>Security Level</th>
<th>Key Size</th>
<th>Ciphertext Size</th>
</tr>
</thead>
<tbody>
<tr>
<td>FIPS 203</td>
<td>ML-KEM-512</td>
<td>1 (128-bit)</td>
<td>800 bytes</td>
<td>768 bytes</td>
</tr>
<tr>
<td>FIPS 203</td>
<td>ML-KEM-768</td>
<td>3 (192-bit)</td>
<td>1,184 bytes</td>
<td>1,088 bytes</td>
</tr>
<tr>
<td>FIPS 203</td>
<td>ML-KEM-1024</td>
<td>5 (256-bit)</td>
<td>1,568 bytes</td>
<td>1,568 bytes</td>
</tr>
</tbody>
</table>
<p><strong>Digital Signatures</strong>:</p>
<table>
<thead>
<tr>
<th>Standard</th>
<th>Algorithm</th>
<th>Security Level</th>
<th>Public Key</th>
<th>Signature</th>
</tr>
</thead>
<tbody>
<tr>
<td>FIPS 204</td>
<td>ML-DSA-44</td>
<td>2 (128-bit)</td>
<td>1,312 bytes</td>
<td>2,420 bytes</td>
</tr>
<tr>
<td>FIPS 204</td>
<td>ML-DSA-65</td>
<td>3 (192-bit)</td>
<td>1,952 bytes</td>
<td>3,293 bytes</td>
</tr>
<tr>
<td>FIPS 204</td>
<td>ML-DSA-87</td>
<td>5 (256-bit)</td>
<td>2,592 bytes</td>
<td>4,595 bytes</td>
</tr>
</tbody>
</table>
<h4 id="recommended-configuration" class="position-relative d-flex align-items-center group">
<span>Recommended Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="recommended-configuration"
aria-haspopup="dialog"
aria-label="Share link: Recommended Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Standard Security (most use cases)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cryptography</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">post_quantum</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_encapsulation</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-KEM-768"</span><span class="w"> </span><span class="c"># NIST Level 3</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">signature</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-DSA-65"</span><span class="w"> </span><span class="c"># NIST Level 3</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># High Security (government, financial)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">cryptography</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">post_quantum</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_encapsulation</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-KEM-1024"</span><span class="w"> </span><span class="c"># NIST Level 5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">signature</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-DSA-87"</span><span class="w"> </span><span class="c"># NIST Level 5</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="hybrid-cryptography" class="position-relative d-flex align-items-center group">
<span>Hybrid Cryptography</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hybrid-cryptography"
aria-haspopup="dialog"
aria-label="Share link: Hybrid Cryptography">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Hybrid mode combines classical and post-quantum algorithms for defense in depth:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Hybrid Key Exchange:
</span></span><span class="line"><span class="cl"> classical_secret = X25519(client_private, server_public)
</span></span><span class="line"><span class="cl"> pq_secret = ML-KEM.Decapsulate(ciphertext, client_private)
</span></span><span class="line"><span class="cl"> shared_secret = KDF(classical_secret || pq_secret)
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Security: Attacker must break BOTH algorithms
</span></span></code></pre></div>
<h4 id="configuration" class="position-relative d-flex align-items-center group">
<span>Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="configuration"
aria-haspopup="dialog"
aria-label="Share link: Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hybrid</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="s2">"require"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_exchange</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">classical</span><span class="p">:</span><span class="w"> </span><span class="s2">"X25519"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">post_quantum</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-KEM-768"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authentication</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">classical</span><span class="p">:</span><span class="w"> </span><span class="s2">"Ed25519"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">post_quantum</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-DSA-65"</span><span class="w">
</span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">geode serve --tls-hybrid<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-hybrid-kex<span class="o">=</span>X25519+ML-KEM-768
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">geode tls-status --verbose
</span></span><span class="line"><span class="cl"><span class="c1"># Hybrid Mode: Enabled</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Key Exchange: X25519 + ML-KEM-768</span>
</span></span></code></pre></div>
<h3 id="migration-planning" class="position-relative d-flex align-items-center group">
<span>Migration Planning</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="migration-planning"
aria-haspopup="dialog"
aria-label="Share link: Migration Planning">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="migration-timeline" class="position-relative d-flex align-items-center group">
<span>Migration Timeline</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="migration-timeline"
aria-haspopup="dialog"
aria-label="Share link: Migration Timeline">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Phase 1: Assessment (Current)
</span></span><span class="line"><span class="cl"> - Inventory cryptographic assets
</span></span><span class="line"><span class="cl"> - Identify sensitive long-term data
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Phase 2: Preparation
</span></span><span class="line"><span class="cl"> - Enable cryptographic agility
</span></span><span class="line"><span class="cl"> - Test PQC algorithms in staging
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Phase 3: Hybrid Deployment
</span></span><span class="line"><span class="cl"> - Deploy hybrid TLS configuration
</span></span><span class="line"><span class="cl"> - Monitor performance impact
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">Phase 4: Full PQC (Future)
</span></span><span class="line"><span class="cl"> - Transition to pure PQC
</span></span><span class="line"><span class="cl"> - Deprecate classical algorithms
</span></span></code></pre></div>
<h4 id="assessment" class="position-relative d-flex align-items-center group">
<span>Assessment</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="assessment"
aria-haspopup="dialog"
aria-label="Share link: Assessment">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">geode crypto-audit --comprehensive
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Output:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Current Cryptographic Inventory:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># TLS Key Exchange: X25519 (classical, quantum-vulnerable)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Data Encryption: AES-256-GCM (quantum-resistant)</span>
</span></span><span class="line"><span class="cl"><span class="c1">#</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Recommendations:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Enable hybrid key exchange when available</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Current data-at-rest encryption is quantum-safe</span>
</span></span></code></pre></div>
<h3 id="performance-considerations" class="position-relative d-flex align-items-center group">
<span>Performance Considerations</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-considerations"
aria-haspopup="dialog"
aria-label="Share link: Performance Considerations">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="key-exchange-performance" class="position-relative d-flex align-items-center group">
<span>Key Exchange Performance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-exchange-performance"
aria-haspopup="dialog"
aria-label="Share link: Key Exchange Performance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Algorithm Key Gen Encaps Decaps Total
</span></span><span class="line"><span class="cl">----------------------------------------------------------
</span></span><span class="line"><span class="cl">X25519 (classical) 0.02ms 0.02ms 0.02ms 0.06ms
</span></span><span class="line"><span class="cl">ML-KEM-768 (PQC) 0.08ms 0.10ms 0.12ms 0.30ms
</span></span><span class="line"><span class="cl">Hybrid (X25519+KEM) 0.10ms 0.12ms 0.14ms 0.36ms
</span></span></code></pre></div>
<h4 id="optimization" class="position-relative d-flex align-items-center group">
<span>Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="optimization"
aria-haspopup="dialog"
aria-label="Share link: Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">performance</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">post_quantum</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">session_resumption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ticket_lifetime</span><span class="p">:</span><span class="w"> </span><span class="m">86400</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">connection_pooling</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_idle_connections</span><span class="p">:</span><span class="w"> </span><span class="m">100</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">acceleration</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">avx2</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="compliance-and-standards" class="position-relative d-flex align-items-center group">
<span>Compliance and Standards</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance-and-standards"
aria-haspopup="dialog"
aria-label="Share link: Compliance and Standards">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="regulatory-guidance" class="position-relative d-flex align-items-center group">
<span>Regulatory Guidance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="regulatory-guidance"
aria-haspopup="dialog"
aria-label="Share link: Regulatory Guidance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ul>
<li><strong>NIST</strong>: FIPS 203, 204, 205 (ML-KEM, ML-DSA, SLH-DSA)</li>
<li><strong>NSA CNSA 2.0</strong>: Post-quantum requirements for national security systems</li>
<li><strong>CISA</strong>: Post-quantum migration guidance for critical infrastructure</li>
</ul>
<h4 id="compliance-configuration" class="position-relative d-flex align-items-center group">
<span>Compliance Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance-configuration"
aria-haspopup="dialog"
aria-label="Share link: Compliance Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># CNSA 2.0 compliant configuration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">compliance</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">standard</span><span class="p">:</span><span class="w"> </span><span class="s2">"CNSA-2.0"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cryptography</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">symmetric</span><span class="p">:</span><span class="w"> </span><span class="s2">"AES-256"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">hash</span><span class="p">:</span><span class="w"> </span><span class="s2">"SHA-384"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_exchange</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-KEM-1024"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">signature</span><span class="p">:</span><span class="w"> </span><span class="s2">"ML-DSA-87"</span><span class="w">
</span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">geode compliance-check --standard<span class="o">=</span>CNSA-2.0
</span></span><span class="line"><span class="cl"><span class="c1"># Symmetric Encryption: COMPLIANT (AES-256-GCM)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Key Exchange: PREPARING (X25519 -> ML-KEM-1024)</span>
</span></span></code></pre></div>
<h3 id="monitoring" class="position-relative d-flex align-items-center group">
<span>Monitoring</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="monitoring"
aria-haspopup="dialog"
aria-label="Share link: Monitoring">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">geode crypto-status
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Cryptographic Status:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># TLS Version: 1.3</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Forward Secrecy: Enabled</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Cipher: AES-256-GCM (quantum-resistant)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Hybrid Mode: Available</span>
</span></span><span class="line"><span class="cl"><span class="c1">#</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Post-Quantum Readiness:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Data-at-rest: Protected (AES-256)</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Forward secrecy: Limiting SNDL exposure</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Algorithm agility: Enabled</span>
</span></span></code></pre></div>
<h3 id="best-practices" class="position-relative d-flex align-items-center group">
<span>Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="best-practices"
aria-haspopup="dialog"
aria-label="Share link: Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="immediate-actions" class="position-relative d-flex align-items-center group">
<span>Immediate Actions</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="immediate-actions"
aria-haspopup="dialog"
aria-label="Share link: Immediate Actions">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li><strong>Enable AES-256</strong>: Use 256-bit symmetric encryption</li>
<li><strong>Enforce TLS 1.3</strong>: Mandatory forward secrecy</li>
<li><strong>Enable Agility</strong>: Prepare for algorithm updates</li>
<li><strong>Audit Cryptography</strong>: Inventory all cryptographic usage</li>
<li><strong>Classify Data</strong>: Identify long-term sensitive data</li>
</ol>
<h4 id="long-term-strategy" class="position-relative d-flex align-items-center group">
<span>Long-term Strategy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="long-term-strategy"
aria-haspopup="dialog"
aria-label="Share link: Long-term Strategy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><ol>
<li><strong>Deploy Hybrid</strong>: Enable hybrid cryptography</li>
<li><strong>Migrate to PQC</strong>: Transition to pure post-quantum</li>
<li><strong>Continuous Assessment</strong>: Regular security audits</li>
<li><strong>Stay Current</strong>: Update algorithms as standards evolve</li>
</ol>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/forward-secrecy/"
>Forward Secrecy</a>
- Ephemeral key exchange</li>
<li><a
href="/tags/tls/"
>TLS Encryption</a>
- Transport security configuration</li>
<li><a
href="/tags/encryption/"
>Encryption</a>
- Data encryption at rest</li>
<li><a
href="/tags/security/"
>Security</a>
- Security overview</li>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory requirements</li>
<li><a
href="/tags/authentication/"
>Authentication</a>
- Identity verification</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/docs/architecture/security-architecture/"
>Security Architecture</a>
- Security design</li>
<li><a
href="/docs/ops/deployment/"
>Deployment Guide</a>
- Production deployment</li>
<li>NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)</li>
<li>NSA CNSA 2.0 Commercial National Security Algorithm Suite</li>
<li>CISA Post-Quantum Cryptography Initiative</li>
</ul>
Tag
1 article
Post-Quantum Cryptography Readiness
Complete guide to Geode's post-quantum cryptography preparedness. Learn about quantum computing threats, NIST PQC standards, hybrid encryption strategies, and how Geode protects data against future quantum attacks.