Inhaltsverzeichnis
3.2 Configuration
Configuration options for the PQ cryptography infrastructure.
Environment Variables
| Variable | Description | Example | Priority |
|---|---|---|---|
OPENSSL_PATH | Path to OpenSSL binaries | C:\OpenSSL\bin | High |
WVDS_CRYPTO_MODE | Default crypto mode | Hybrid | Medium |
WVDS_PQ_KEYSTORE | Path to PQ key store | %LOCALAPPDATA%\WvdS.Crypto\PqKeys | Optional |
Windows (PowerShell as Administrator)
# Permanent for all users (Machine scope) [Environment]::SetEnvironmentVariable("OPENSSL_PATH", "C:\Program Files\OpenSSL\bin", "Machine") [Environment]::SetEnvironmentVariable("WVDS_CRYPTO_MODE", "Hybrid", "Machine") # Verify (open new PowerShell) $env:OPENSSL_PATH $env:WVDS_CRYPTO_MODE
Linux
# System-wide (/etc/profile.d/) sudo tee /etc/profile.d/wvds-crypto.sh << 'EOF' export OPENSSL_PATH=/usr/local/openssl/lib export WVDS_CRYPTO_MODE=Hybrid EOF # For current user (~/.bashrc or ~/.profile) echo 'export OPENSSL_PATH=/usr/local/openssl/lib' >> ~/.bashrc echo 'export WVDS_CRYPTO_MODE=Hybrid' >> ~/.bashrc # Activate source ~/.bashrc # Verify echo $OPENSSL_PATH echo $WVDS_CRYPTO_MODE
macOS
# In ~/.zshrc (default shell on macOS) echo 'export OPENSSL_PATH=$(brew --prefix openssl@3)/lib' >> ~/.zshrc echo 'export WVDS_CRYPTO_MODE=Hybrid' >> ~/.zshrc source ~/.zshrc
Crypto Modes
| Mode | Description | Usage |
|---|---|---|
Classic | RSA/ECDSA only | Legacy systems, backward compatibility |
Hybrid | RSA + ML-DSA in parallel | Recommended for migration |
PostQuantum | ML-DSA/ML-KEM only | New PQ-only systems |
Recommendation: Use Hybrid during the transition phase. This provides security even if one algorithm is compromised.
PQ Key Store
The Windows Certificate Store does not support native PQ keys. The library uses a separate side-store:
Default paths:
| OS | Path |
|---|---|
| Windows | %LOCALAPPDATA%\WvdS.Crypto\PqKeys\ |
| Linux | ~/.local/share/wvds-crypto/pqkeys/ |
| macOS | ~/Library/Application Support/WvdS.Crypto/PqKeys/ |
Check Permissions
Windows (PowerShell):
# Determine path $pqKeyStore = "$env:LOCALAPPDATA\WvdS.Crypto\PqKeys" # Check existence Test-Path $pqKeyStore # Show permissions Get-Acl $pqKeyStore | Format-List # Set permissions (current user only) icacls $pqKeyStore /inheritance:r /grant:r "$env:USERNAME:(OI)(CI)F"
Linux:
# Path PQ_KEYSTORE=~/.local/share/wvds-crypto/pqkeys # Check existence ls -la $PQ_KEYSTORE # Set permissions (owner read/write only) chmod 700 $PQ_KEYSTORE chmod 600 $PQ_KEYSTORE/* # Verify stat $PQ_KEYSTORE
Important: The PQ key store is not included in Windows Certificate Store backups! Back up this folder separately.
FIPS Mode (OpenSSL)
For FIPS 140-3 compliance, the OpenSSL FIPS Provider must be enabled.
Check FIPS Provider Status
# List providers openssl list -providers # Expected output with FIPS: # Providers: # default # fips
Enable FIPS Provider
Configure openssl.cnf:
# Determine OpenSSL configuration path openssl version -d # Output: OPENSSLDIR: "/usr/local/openssl" # Edit configuration sudo nano /usr/local/openssl/openssl.cnf
Required entries in openssl.cnf:
# At the beginning of the file openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect default = default_sect [fips_sect] activate = 1 [base_sect] activate = 1 [default_sect] activate = 1
Verification:
# Check FIPS status openssl list -providers | grep -i fips # FIPS-validated algorithms openssl list -signature-algorithms -provider fips
Algorithm Configuration
Available ML-DSA variants (signatures):
| Algorithm | NIST Level | Public Key | Signature | Recommendation |
|---|---|---|---|---|
| ML-DSA-44 | Level 2 | 1,312 B | 2,420 B | Resource-constrained systems |
| ML-DSA-65 | Level 3 | 1,952 B | 3,309 B | Standard (recommended) |
| ML-DSA-87 | Level 5 | 2,592 B | 4,627 B | Highest security |
Available ML-KEM variants (key exchange):
| Algorithm | NIST Level | Public Key | Ciphertext | Shared Secret |
|---|---|---|---|---|
| ML-KEM-512 | Level 1 | 800 B | 768 B | 32 B |
| ML-KEM-768 | Level 3 | 1,184 B | 1,088 B | 32 B |
| ML-KEM-1024 | Level 5 | 1,568 B | 1,568 B | 32 B |
Check algorithm support:
# All available signature algorithms openssl list -signature-algorithms # ML-DSA specifically openssl list -signature-algorithms | grep -i "ml-dsa" # All KEM algorithms openssl list -kem-algorithms # ML-KEM specifically openssl list -kem-algorithms | grep -i "ml-kem"
Further Reading
- Operations – Health checks, certificates via CLI
- Troubleshooting – Configuration errors
- Algorithms – Technical details
- CryptoConfig API – For developers
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/29 at 11:10 PM
