HomeProductsEncryption Proxy
BETA — INFRASTRUCTURE

Encryption Proxy

FASTIFY · DOCKER · KUBERNETES

A transparent post-quantum encryption layer that sits in front of any API or S3-compatible store. Zero code changes required — point your traffic at the proxy and every payload becomes quantum-resistant.

ML-KEM-768Transparent proxyS3-compatibleDocker + Helm
Available now — beta
The proxy engine, ML-KEM-768 payload encryption, key rotation and audit logging are built and self-hostable with Docker. Managed hosting is on the roadmap.
ARCHITECTURE OVERVIEW
Client / App
↓ HTTPS (plaintext payload)
QuantaShield Proxy
↓ ML-KEM-768 encrypted payload
Upstream API / S3
Key encapsulationML-KEM-768 (NIST FIPS 203)
Symmetric encryptionAES-256-GCM (authenticated)
Session protocolQS3™ ratchet (roadmap)
DeploymentDocker · Helm · bare metal
Latency overhead< 2 ms (WASM crypto)
Drop-in encryption for any infrastructure
API Gateway
Encrypt all data in transit between microservices
S3 / Object Store
Application-layer encryption before cloud storage
Database Proxy
Encrypt sensitive fields on the wire to Postgres / MySQL
AI Model API
Protect prompt/response data to LLM endpoints
Features

Post-quantum encryption for your entire stack

Transparent HTTP Proxy
Sits in front of any API or service as a Fastify-based reverse proxy. Request and response payloads are encrypted and decrypted on the fly — your upstream service sees plaintext, your network sees ciphertext.
ML-KEM-768 Payload Encryption
Every intercepted payload is encrypted using ML-KEM-768 key encapsulation + AES-256-GCM authenticated encryption. Post-quantum resistant against harvest-now-decrypt-later attacks.
S3-Compatible Store
Deploy the proxy in front of any S3-compatible object store (AWS S3, MinIO, Cloudflare R2, Backblaze B2) to transparently encrypt all objects at the application layer before they reach storage.
Key Rotation
Keys rotate automatically on a configurable schedule without downtime. Re-encryption of existing payloads runs as a background job — zero service interruption.
Audit Logging
Every encrypt and decrypt event is logged with timestamp, source IP, key ID, and payload hash. Export to stdout, file, or a syslog endpoint for SIEM ingestion.
Easy Deployment
Ships as a single Docker image and a Helm chart for Kubernetes. Configuration via environment variables or a YAML file. No code changes required in the upstream service.
Setup

Running in 4 steps

01
Deploy the proxy container
Pull the Docker image and start it with your upstream service URL, port, and a key configuration path. No code changes needed in your existing service.
02
Point traffic at the proxy
Update your DNS or load balancer to route traffic through the proxy instead of directly to your API or object store. The proxy is fully transparent.
03
Payloads encrypted end-to-end
All request and response bodies are encrypted on ingress and decrypted on egress using ML-KEM-768. Your upstream service continues to receive plaintext — no changes required.
04
Monitor in the dashboard
View real-time throughput, encryption event logs, key rotation history, and anomaly alerts in the QuantaShield management dashboard.

Ready to encrypt your infrastructure?

Sign in today and get early access to the Encryption Proxy when it launches.