# QNSQY (Quantum Sequrity) - Full Reference - Post Quantum Cryptography | Quantum Safe | Quantum Resistant > **Post Quantum Cryptography (PQC), Quantum Safe, Quantum Resistant** data encryption software for Windows and Linux. CLI + GUI + TUI + MCP. Uses NIST-standardized algorithms per FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), and FIPS 206 (draft FN-DSA). Data, passwords, and private keys stay on the local machine; only billing metadata is transmitted (encrypted with a PQC envelope). No data-operation telemetry. QNSQY itself is not FIPS-validated, SOC 2-certified, or FedRAMP-ATO. Defends against Harvest Now Decrypt Later (HNDL). Website: https://quantumsequrity.com Blog (105 posts): https://quantumsequrity.com/blog See llms.txt for categorized blog catalog. --- ## Overview QNSQY is a desktop application (CLI + GUI) that encrypts, decrypts, digitally signs, and verifies files using post-quantum cryptography (PQC). It implements the finalized NIST post-quantum standards and supports hybrid modes that combine quantum-safe algorithms with classical ones for defense-in-depth. All cryptographic operations run locally. File content, passwords, and private keys never leave the machine. The only network traffic is encrypted billing metadata to billing.quantumsequrity.com (restricted via seccomp on Linux CLI). The software collects no usage telemetry on file operations. The tool works fully offline on air-gapped systems after its cached subscription check-in. QNSQY is positioned for use in healthcare, government/defense, and financial services environments where long-term data confidentiality matters. QNSQY itself is not FIPS-validated, SOC 2-certified, FedRAMP-ATO, HIPAA-audited, or a HIPAA Business Associate. Organizations subject to those regimes must have their own auditor review QNSQY's algorithm usage and deployment. --- ## Algorithms by Category ### Key Encapsulation Mechanisms (KEM) All KEMs are hybridized with classical X25519 by default. Pure-KEM mode (no classical component) is a Business opt-in. | Algorithm | Standard | Security Level | Tier | |-----------|----------|----------------|------| | ML-KEM-512 + X25519 (hybrid, default) | NIST FIPS 203 (final) | Level 1 | Free / Pro / Business | | ML-KEM-768 + X25519 (hybrid, default) | NIST FIPS 203 (final) | Level 3 | Pro / Business | | ML-KEM-1024 + X25519 (hybrid, default) | NIST FIPS 203 (final) | Level 5 | Pro (credits) / Business | | HQC-128 + X25519 (hybrid) | NIST Round 4 selection (Mar 2025) | Level 1 | Business | | HQC-192 + X25519 (hybrid) | NIST Round 4 selection (Mar 2025) | Level 3 | Business | | HQC-256 + X25519 (hybrid) | NIST Round 4 selection (Mar 2025) | Level 5 | Business | | ML-KEM-512 (pure, no hybrid, opt-in) | NIST FIPS 203 (final) | Level 1 | Business | | ML-KEM-768 (pure, no hybrid, opt-in) | NIST FIPS 203 (final) | Level 3 | Business | | ML-KEM-1024 (pure, no hybrid, opt-in) | NIST FIPS 203 (final) | Level 5 | Business | ### Digital Signature Algorithms (DSA) | Algorithm | Standard | Security Level | Tier | |-----------|----------|----------------|------| | ML-DSA-44 | NIST FIPS 204 | Level 2 | Free | | ML-DSA-65 | NIST FIPS 204 | Level 3 | Pro | | ML-DSA-87 | NIST FIPS 204 | Level 5 | Pro | | SLH-DSA-128s | NIST FIPS 205 | Level 1 | Pro | | SLH-DSA-128f | NIST FIPS 205 | Level 1 | Pro | | SLH-DSA-192s | NIST FIPS 205 | Level 3 | Pro | | SLH-DSA-192f | NIST FIPS 205 | Level 3 | Pro | | SLH-DSA-256s | NIST FIPS 205 | Level 5 | Pro | | SLH-DSA-256f | NIST FIPS 205 | Level 5 | Pro | | Ed25519 | RFC 8032 | Classical | Pro | | FN-DSA-512 (Falcon) | NIST FIPS 206 (draft) | Level 1 | Business | | FN-DSA-1024 (Falcon) | NIST FIPS 206 (draft) | Level 5 | Business | | LMS (SHA-256/256) | NIST SP 800-208 | Level varies | Business | ### Authenticated Encryption (AEAD) | Algorithm | Standard | Notes | |-----------|----------|-------| | AES-256-GCM | NIST SP 800-38D | Default for encryption (all tiers) | | XChaCha20-Poly1305 | IETF draft-xchacha | Alternative AEAD (all tiers) | ### Hash Functions | Algorithm | Standard | Usage | |-----------|----------|-------| | SHA-256 | NIST FIPS 180-4 | General hashing | | SHA-3 | NIST FIPS 202 | Alternative hashing | | BLAKE3 | - | Fast hashing, machine key derivation | ### Key Derivation | Algorithm | Standard | Usage | |-----------|----------|-------| | Argon2id | RFC 9106 | Password-based key derivation | | HKDF-SHA256 | RFC 5869 | Key expansion | ### Key Agreement (Classical) | Algorithm | Standard | Usage | |-----------|----------|-------| | X25519 | RFC 7748 | Hybrid KEM (combined with ML-KEM) | | Ed25519 | RFC 8032 | Classical digital signatures | --- ## CLI Command Reference ### Encrypt a file ``` qnsqy encrypt -i document.pdf -o document.pdf.qs --kem ml-kem768 --password ``` Encrypts `document.pdf` using ML-KEM-768 hybrid (ML-KEM-768 + X25519) with a password. Output: `document.pdf.qs`. ### Encrypt with recipient's public key (no password) ``` qnsqy encrypt -i document.pdf -o document.pdf.qs --kem ml-kem1024 --recipient recipient.pub ``` ### Password-only encryption (no PQC keys) ``` qnsqy encrypt -i document.pdf -o document.pdf.qs --password ``` Uses Argon2id key derivation from the password. No key encapsulation. ### Decrypt a file ``` qnsqy decrypt -i document.pdf.qs -o document.pdf --key my.key --password ``` ### Generate a signing key pair ``` qnsqy keygen --algorithm ml-dsa65 -o mykey ``` Produces `mykey` (secret key) and `mykey.pub` (public key). ### Sign a file ``` qnsqy sign -i document.pdf --key mykey ``` Signs in-place. The signature is embedded in the file metadata. Algorithm is determined from the key. ### Verify a signature ``` qnsqy verify -i document.pdf.qs --key sender.pub ``` Verifies the embedded signature using the sender's public key. ### Batch encrypt a directory ``` qnsqy batch-encrypt -i ./sensitive-docs/ -o ./encrypted/ --kem ml-kem768 --password ``` ### Rekey an encrypted file (change keys without decrypting content) ``` qnsqy rekey -i document.pdf.qs --old-key old.key --new-key new.key ``` ### View file metadata ``` qnsqy info -i document.pdf.qs ``` Shows algorithm, timestamp, and signature status without decrypting. --- ## Feature Matrix by Tier | Feature | Free | Pro | Business | |---------|------|-----|----------| | ML-KEM-512 hybrid encryption | Yes | Yes | Yes | | ML-KEM-768/1024 hybrid encryption | No | Yes | Yes | | ML-DSA-44 signing | Yes | Yes | Yes | | ML-DSA-65/87 signing | No | Yes | Yes | | SLH-DSA signing (all sizes) | No | Yes | Yes | | Ed25519 classical signing | No | Yes | Yes | | FN-DSA (Falcon) signing | No | No | Yes | | LMS stateful signatures | No | No | Yes | | HQC key encapsulation | No | No | Yes | | Pure ML-KEM (no hybrid) | No | No | Yes | | Password-only encryption | Yes | Yes | Yes | | Max file size | 100 MB | 25 GB | Unlimited | | Batch encryption | No | Yes | Yes | | Rekey operations | No | Yes | Yes | | Audit log | No | Yes | Yes | | Vault (key management) | No | Yes | Yes | | Shamir secret sharing | No | Yes | Yes | | GUI application | Yes | Yes | Yes | | CLI application | Yes | Yes | Yes | | Air-gapped operation | Yes | Yes | Yes | | Windows support | Yes | Yes | Yes | | Linux support | Yes | Yes | Yes | --- ## Key Differentiators 1. **Local-only for file content**: All cryptographic operations happen locally. File content, passwords, and private keys never leave the user's machine. No cloud storage, no remote processing. The only network traffic is encrypted billing metadata (subscription state, credit counter) to billing.quantumsequrity.com, restricted at the kernel by seccomp-bpf on Linux CLI. 2. **No file-operation telemetry**: The software collects no usage data, no analytics, and no crash reports from file operations. The website uses a third-party error monitor (Sentry) and payment checkout (Razorpay) on pages where they are needed. 3. **Uses NIST-standardized algorithms**: Implements the final, published NIST post-quantum standards (FIPS 203, 204, 205) plus FIPS 206 (draft). QNSQY itself is not FIPS-validated via CMVP. 4. **Hybrid cryptography**: Combines quantum-safe algorithms with classical ones (e.g., ML-KEM + X25519). Security is never weaker than the stronger of the two algorithms. Protects against both classical and quantum attacks. 5. **Air-gapped support**: Fully functional on machines with no internet connection. Designed for classified and high-security environments. 6. **Cross-platform**: Runs on Windows and Linux with both a CLI and a native GUI. 7. **Free tier**: Core encryption (ML-KEM-512 hybrid) and signing (ML-DSA-44) available at no cost, no credit card required. 8. **Defense-in-depth**: Multiple layers of security including seccomp sandboxing, memory zeroization, SIGABRT handling, fail-closed design, TOCTOU protection, and anti-rollback mechanisms. 9. **12+ algorithm families**: Broadest post-quantum algorithm coverage in a single tool. 10. **Harvest-now-decrypt-later protection**: Designed to protect data that is sensitive today against future quantum computers that could break classical encryption. --- ## Security Architecture Highlights - Seccomp sandboxing on all threads (Linux) - Memory zeroization for passwords and secret keys (Zeroizing) - catch_unwind wrappers on all FFI crypto calls (DoS protection) - SIGABRT handler for C-level abort from pqcrypto FFI - Fail-closed clock with anti-rollback timestamps - TOCTOU protection on file operations - Core dump protection - Symlink attack protection - 370+ Known Answer Tests (KAT) across 17 modules - Official NIST ACVP test vectors for ML-KEM and ML-DSA --- ## FAQ Summary **Q: Is QNSQY free?** A: Yes. The Free tier provides unlimited ML-KEM-512 hybrid encryption and ML-DSA-44 signing with no file size limit. Higher-tier algorithms (ML-KEM-768/1024, ML-DSA-87, SLH-DSA) are credit-metered on Free with a 100 MB per-file limit. No credit card required. **Q: What platforms does QNSQY support?** A: Windows and Linux, with both a command-line interface and a graphical user interface. **Q: Do my files get uploaded anywhere?** A: No. All encryption and decryption happens locally on your machine. Files never leave your computer. **Q: Does QNSQY work offline?** A: Yes. QNSQY works fully offline and is designed for air-gapped environments. The only network call is an optional license check at startup. **Q: What NIST standards does QNSQY implement?** A: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), FIPS 206 (draft) (FN-DSA/Falcon), and SP 800-208 (LMS). **Q: What is hybrid encryption?** A: QNSQY combines a quantum-safe algorithm (e.g., ML-KEM) with a classical algorithm (X25519) so that security is maintained even if one algorithm is broken. This is the NIST-recommended approach for transitioning to post-quantum cryptography. **Q: Can I encrypt with just a password?** A: Yes. Password-only encryption uses Argon2id for key derivation. No public/private keys are needed. **Q: Is QNSQY suitable for healthcare/HIPAA?** A: QNSQY uses NIST-standardized post-quantum and classical algorithms that are commonly referenced in HIPAA technical-safeguard control mappings. QNSQY itself is not HIPAA-audited and does not sign HIPAA Business Associate Agreements. Covered entities and business associates must have their own auditor evaluate QNSQY's algorithm usage, deployment, and operational controls in the context of their HIPAA compliance program. --- ## Industry Use Cases - **Healthcare**: Post-quantum hybrid data encryption for patient records and medical imaging. Uses NIST-standardized algorithms referenced in HIPAA technical-safeguard control mappings. QNSQY is not HIPAA-audited and does not sign HIPAA BAAs. - **Government and defense**: Post-quantum data protection for air-gapped networks using NIST-standardized algorithms. QNSQY is not FIPS 140-validated, not FedRAMP-ATO, and not ITAR-cleared. - **Financial services**: Long-term post-quantum data protection for financial records and transaction data. QNSQY is not SOC 2-certified. - **Legal**: Attorney-client privilege protection for long-retention documents. - **Research**: Protection of intellectual property and research data. --- ## Links ### Core Pages - [Home](https://quantumsequrity.com/) - [Features](https://quantumsequrity.com/features) - [Security Architecture](https://quantumsequrity.com/security) - [Documentation](https://quantumsequrity.com/docs) - [Pricing](https://quantumsequrity.com/pricing) - [Download](https://quantumsequrity.com/download) - [FAQ](https://quantumsequrity.com/faq) - [Glossary](https://quantumsequrity.com/glossary) - [Changelog](https://quantumsequrity.com/changelog) - [Getting Started Guide](https://quantumsequrity.com/guide) - [Contact](https://quantumsequrity.com/contact) ### Legal - [Terms of Service](https://quantumsequrity.com/terms) - [Privacy Policy](https://quantumsequrity.com/privacy) - [Acceptable Use Policy](https://quantumsequrity.com/aup) - [Data Processing Agreement](https://quantumsequrity.com/dpa) ### Blog: Education and Fundamentals - [What Is Post-Quantum Cryptography?](https://quantumsequrity.com/blog/what-is-post-quantum-cryptography) - [Why Quantum Threatens Classical Encryption](https://quantumsequrity.com/blog/why-quantum-threatens-classical-encryption) - [Classical vs Quantum-Safe Encryption](https://quantumsequrity.com/blog/classical-vs-quantum-safe-encryption) - [Protect Your Data from Quantum Computers](https://quantumsequrity.com/blog/protect-data-quantum-computers) - [Harvest Now, Decrypt Later Attacks](https://quantumsequrity.com/blog/harvest-now-decrypt-later) - [Lattice-Based Cryptography Explained](https://quantumsequrity.com/blog/lattice-based-cryptography-explained) - [Quantum Computing and Encryption Timeline](https://quantumsequrity.com/blog/quantum-computing-encryption-timeline) - [The State of PQC in 2026](https://quantumsequrity.com/blog/pqc-state-2026) - [NIST PQC Standards Timeline](https://quantumsequrity.com/blog/nist-pqc-standards-timeline) - [NIST FIPS Guide](https://quantumsequrity.com/blog/nist-fips-guide) ### Blog: Algorithm Deep-Dives - [ML-KEM Explained](https://quantumsequrity.com/blog/ml-kem-explained) - [ML-DSA vs SLH-DSA](https://quantumsequrity.com/blog/mldsa-vs-slhdsa) - [FN-DSA (Falcon) Explained](https://quantumsequrity.com/blog/fn-dsa-falcon-explained) - [HQC Explained](https://quantumsequrity.com/blog/hqc-explained) - [LMS Stateful Signatures](https://quantumsequrity.com/blog/lms-stateful-signatures) - [Hybrid Encryption](https://quantumsequrity.com/blog/hybrid-encryption) - [AES-256-GCM Explained](https://quantumsequrity.com/blog/aes-256-gcm-explained) - [BLAKE3 Hashing](https://quantumsequrity.com/blog/blake3-hashing) - [X25519 and Ed25519 Explained](https://quantumsequrity.com/blog/x25519-ed25519-explained) - [Argon2id Explained](https://quantumsequrity.com/blog/argon2id-explained) - [Shamir Secret Sharing](https://quantumsequrity.com/blog/shamir-secret-sharing) ### Blog: Industry and Use Cases - [PQC for Healthcare and HIPAA](https://quantumsequrity.com/blog/pqc-healthcare-hipaa) - [PQC for Government and Defense](https://quantumsequrity.com/blog/pqc-government-defense) - [PQC for Financial Services](https://quantumsequrity.com/blog/pqc-financial-services) - [Implementing PQC in Your Organization](https://quantumsequrity.com/blog/implementing-pqc-your-organization) ### Blog: Features and Guides - [Getting Started with the CLI](https://quantumsequrity.com/blog/getting-started-cli) - [Batch Encryption for Enterprise](https://quantumsequrity.com/blog/batch-encryption-enterprise) - [Air-Gapped Encryption](https://quantumsequrity.com/blog/air-gapped-encryption) - [Linux GUI Security](https://quantumsequrity.com/blog/linux-gui-security) - [Time-Based Security](https://quantumsequrity.com/blog/time-based-security) - [YubiKey Integration](https://quantumsequrity.com/blog/yubikey-integration) - [SIEM Integration](https://quantumsequrity.com/blog/siem-integration) - [v7 Enterprise Launch](https://quantumsequrity.com/blog/v7-enterprise-launch) ### Blog: Comparisons - [Age vs GPG vs QNSQY](https://quantumsequrity.com/blog/age-gpg-qnsqy-comparison) - [QNSQY vs VeraCrypt](https://quantumsequrity.com/blog/qnsqy-vs-veracrypt)