Platform
Post-quantum security
Confirm you're on hybrid post-quantum TLS and that the audit Ledger is post-quantum signed.
Overview
DataStrict is quantum-resistant at two boundaries. Traffic into the gateway rides hybrid post-quantum TLS- a classical X25519 key exchange combined with NIST's ML-KEM-768 - and every entry the audit Ledger records is signed with ML-DSA, on top of its existing hash-chain. This page shows how to confirm both from the outside, so post-quantum protection is something you verify, not something you take on faith.
Tip · Why hybrid
Verify post-quantum TLS
Ask the gateway to negotiate the hybrid group and inspect what the handshake actually settled on. With OpenSSL 3.5 or later:
$ openssl s_client -connect gateway.datastrict:443 \
-groups X25519MLKEM768 -tls1_3 </dev/null 2>/dev/null \
| grep -i "Negotiated\|group"
Negotiated TLS 1.3, Cipher is TLS_AES_256_GCM_SHA384
Server Temp Key: X25519MLKEM768A Server Temp Key of X25519MLKEM768 confirms the session key was established with the hybrid post-quantum exchange. If you see a bare X25519, the client did not offer the post-quantum group - see rollout below.
Verify the signed Ledger
Each record in the audit Ledger carries an ML-DSA signature. The CLI re-verifies a range of entries against their signatures and checks the hash-chain in one pass:
$ datastrict ledger verify --last 100
algorithm: ML-DSA-65 (FIPS 204)
entries: 100/100 signatures valid
chain: intact (no gaps, no reordering)The signature proves a record cannot be forged even by an adversary with a quantum computer; the chain proves none was removed or reordered. Together they make the Ledger evidence that holds for the full retention period, not just until today's signatures are broken.
Rollout & compatibility
Hybrid post-quantum TLS is backwards compatible. A client that supports the post-quantum group (modern browsers and up-to-date TLS libraries do) negotiates it automatically; an older client falls back to a classical exchange rather than failing. You can require the post-quantum group for a given route so a downgrade is refused - the right posture for the most sensitive traffic, and the default for air-gapped and private-cloud deployments where DataStrict terminates TLS itself.
Tip · Next steps
Was this page helpful?