Configuration options for the PQ cryptography infrastructure.
| Variable | Description | Example | Priority |
|---|---|---|---|
OPENSSL_PATH | Path to OpenSSL binaries | C:\OpenSSL\bin | High |
WVDS_CRYPTO_MODE | Default crypto mode | Hybrid | Medium |
WVDS_PQ_KEYSTORE | Path to PQ key store | %LOCALAPPDATA%\WvdS.Crypto\PqKeys | Optional |
# Permanent for all users (Machine scope) [Environment]::SetEnvironmentVariable("OPENSSL_PATH", "C:\Program Files\OpenSSL\bin", "Machine") [Environment]::SetEnvironmentVariable("WVDS_CRYPTO_MODE", "Hybrid", "Machine") # Verify (open new PowerShell) $env:OPENSSL_PATH $env:WVDS_CRYPTO_MODE
# System-wide (/etc/profile.d/) sudo tee /etc/profile.d/wvds-crypto.sh << 'EOF' export OPENSSL_PATH=/usr/local/openssl/lib export WVDS_CRYPTO_MODE=Hybrid EOF # For current user (~/.bashrc or ~/.profile) echo 'export OPENSSL_PATH=/usr/local/openssl/lib' >> ~/.bashrc echo 'export WVDS_CRYPTO_MODE=Hybrid' >> ~/.bashrc # Activate source ~/.bashrc # Verify echo $OPENSSL_PATH echo $WVDS_CRYPTO_MODE
# In ~/.zshrc (default shell on macOS) echo 'export OPENSSL_PATH=$(brew --prefix openssl@3)/lib' >> ~/.zshrc echo 'export WVDS_CRYPTO_MODE=Hybrid' >> ~/.zshrc source ~/.zshrc
| Mode | Description | Usage |
|---|---|---|
Classic | RSA/ECDSA only | Legacy systems, backward compatibility |
Hybrid | RSA + ML-DSA in parallel | Recommended for migration |
PostQuantum | ML-DSA/ML-KEM only | New PQ-only systems |
Recommendation: Use Hybrid during the transition phase. This provides security even if one algorithm is compromised.
The Windows Certificate Store does not support native PQ keys. The library uses a separate side-store:
Default paths:
| OS | Path |
|---|---|
| Windows | %LOCALAPPDATA%\WvdS.Crypto\PqKeys\ |
| Linux | ~/.local/share/wvds-crypto/pqkeys/ |
| macOS | ~/Library/Application Support/WvdS.Crypto/PqKeys/ |
Windows (PowerShell):
# Determine path $pqKeyStore = "$env:LOCALAPPDATA\WvdS.Crypto\PqKeys" # Check existence Test-Path $pqKeyStore # Show permissions Get-Acl $pqKeyStore | Format-List # Set permissions (current user only) icacls $pqKeyStore /inheritance:r /grant:r "$env:USERNAME:(OI)(CI)F"
Linux:
# Path PQ_KEYSTORE=~/.local/share/wvds-crypto/pqkeys # Check existence ls -la $PQ_KEYSTORE # Set permissions (owner read/write only) chmod 700 $PQ_KEYSTORE chmod 600 $PQ_KEYSTORE/* # Verify stat $PQ_KEYSTORE
Important: The PQ key store is not included in Windows Certificate Store backups! Back up this folder separately.
For FIPS 140-3 compliance, the OpenSSL FIPS Provider must be enabled.
# List providers openssl list -providers # Expected output with FIPS: # Providers: # default # fips
Configure openssl.cnf:
# Determine OpenSSL configuration path openssl version -d # Output: OPENSSLDIR: "/usr/local/openssl" # Edit configuration sudo nano /usr/local/openssl/openssl.cnf
Required entries in openssl.cnf:
# At the beginning of the file openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect default = default_sect [fips_sect] activate = 1 [base_sect] activate = 1 [default_sect] activate = 1
Verification:
# Check FIPS status openssl list -providers | grep -i fips # FIPS-validated algorithms openssl list -signature-algorithms -provider fips
Available ML-DSA variants (signatures):
| Algorithm | NIST Level | Public Key | Signature | Recommendation |
|---|---|---|---|---|
| ML-DSA-44 | Level 2 | 1,312 B | 2,420 B | Resource-constrained systems |
| ML-DSA-65 | Level 3 | 1,952 B | 3,309 B | Standard (recommended) |
| ML-DSA-87 | Level 5 | 2,592 B | 4,627 B | Highest security |
Available ML-KEM variants (key exchange):
| Algorithm | NIST Level | Public Key | Ciphertext | Shared Secret |
|---|---|---|---|---|
| ML-KEM-512 | Level 1 | 800 B | 768 B | 32 B |
| ML-KEM-768 | Level 3 | 1,184 B | 1,088 B | 32 B |
| ML-KEM-1024 | Level 5 | 1,568 B | 1,568 B | 32 B |
Check algorithm support:
# All available signature algorithms openssl list -signature-algorithms # ML-DSA specifically openssl list -signature-algorithms | grep -i "ml-dsa" # All KEM algorithms openssl list -kem-algorithms # ML-KEM specifically openssl list -kem-algorithms | grep -i "ml-kem"
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional