ML-KEM
DSA-65
QUANTASEAL
ML-KEM-768AES-256-GCMML-DSA-65
Initializing Quantum Vault
QUANTASEAL
Run QuantaSeal in your own VPC, Kubernetes cluster, or air-gapped data centre. Full ML-KEM-768 post-quantum security, self-managed keys, and zero data leaving your perimeter.
api.quantaseal.io — zero ops, always up-to-date. Best for most teams.
Start freeYour Kubernetes cluster in AWS/Azure/GCP. Helm chart, your own domain, your own keys.
Jump to Helm guideFully offline. Private registry, no outbound internet. Docker Compose or Helm.
Jump to Compose guideSelf-managed key hierarchy
No dependency on AWS KMS. Use local key wrapping, your HSM via PKCS#11, or HashiCorp Vault Transit.
Full PQC stack
ML-KEM-768 + ML-DSA-65 + AES-256-GCM. Same NIST FIPS 203/204/205 algorithms as our SaaS.
Air-gap support
Private image registry, no internet required. All cryptography runs on-host — no external calls.
Production Helm chart
HPA, PodDisruptionBudgets, NetworkPolicies, RBAC, zone-aware topology. Same chart as our SaaS.
40+ connectors included
Salesforce, SAP, Oracle, AWS, Azure, Okta, Kafka, PostgreSQL, and 30+ more — all work on-prem.
Compliance reports
SOC 2, HIPAA, GDPR, PCI DSS, APRA CPS 234, FedRAMP — evidence collected from your local audit log.
Recommended for HA production deployments in your own VPC or on-prem K8s cluster.
git clone https://github.com/Lokeshwaranramu/quantaseal.git cd quantaseal/infrastructure/helm/quantashield
For air-gapped environments, copy the chart directory to your target machine via USB or internal artifact repository.
# Create values-secrets.yaml (never commit this file)
cat > values-secrets.yaml <<'EOF'
secrets:
jwtSecret:
existingSecret: quantaseal-jwt
key: jwt-secret-key
jwtRefreshSecret:
existingSecret: quantaseal-jwt
key: jwt-refresh-secret-key
postgresql:
auth:
postgresPassword: "CHANGE_ME_STRONG_PASSWORD"
password: "CHANGE_ME_STRONG_PASSWORD"
redis:
auth:
password: "CHANGE_ME_STRONG_PASSWORD"
EOF
# Create Kubernetes secrets for JWT keys
kubectl create namespace quantaseal
kubectl create secret generic quantaseal-jwt \
--namespace quantaseal \
--from-literal=jwt-secret-key="$(openssl rand -hex 64)" \
--from-literal=jwt-refresh-secret-key="$(openssl rand -hex 64)"# Update the hostname in values-private.yaml sed -i 's/api.yourdomain.internal/api.yourdomain.com/g' values-private.yaml
Set the correct hostname in ingress.hosts[0].host and ingress.tls[0].hosts[0].
cd /path/to/quantaseal ./scripts/deploy-private.sh \ --method helm \ --namespace quantaseal \ --secrets values-secrets.yaml
# Check all pods are running
kubectl get pods -n quantaseal
# Check the API health
kubectl exec -n quantaseal \
$(kubectl get pod -n quantaseal -l app.kubernetes.io/component=api -o name | head -1) \
-- curl -s http://localhost:8000/health | python3 -c "import json,sys; d=json.load(sys.stdin); print('Status:', d.get('status'))"Best for single-host, air-gapped, or evaluation deployments.
git clone https://github.com/Lokeshwaranramu/quantaseal.git cd quantaseal/infrastructure
For air-gapped environments, copy the infrastructure/ directory and pre-pull Docker images onto your target machine.
cp .env.example .env
# Generate secure secrets
python3 -c "import secrets; print('JWT_SECRET_KEY=' + secrets.token_hex(64))" >> .env
python3 -c "import secrets; print('JWT_REFRESH_SECRET_KEY=' + secrets.token_hex(64))" >> .env
python3 -c "import secrets; print('HMAC_SECRET=' + secrets.token_hex(32))" >> .env
python3 -c "import secrets; print('REDIS_ENCRYPTION_KEY=' + secrets.token_hex(32))" >> .env
# Edit .env and fill in remaining required values:
# STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET (or set stripe_skip_webhook_verify=true for offline)
# RESEND_API_KEY (or configure a local SMTP relay)
nano .env./scripts/deploy-private.sh --method compose # This runs: docker compose up -d --build + alembic upgrade head
curl -s http://localhost:8000/health | python3 -c \
"import json,sys; d=json.load(sys.stdin); print('Status:', d.get('status'))"
# → Status: healthycd ../frontend cp .env.local.example .env.local echo "NEXT_PUBLIC_API_URL=http://localhost:8000" >> .env.local npm install npm run build npm start # Admin console on http://localhost:3001
For fully offline deployments with no outbound internet access, make the following changes after initial setup:
Private image registry
Set api.image.repository to your internal registry (e.g. registry.yourdomain.internal/quantaseal-api) in values-private.yaml.
Disable cloud observability
Set observability.otel.enabled: false and observability.sentry.enabled: false. Enable Prometheus for local metrics scraping.
Local KMS
Set KMS_PROVIDER=local in your environment. QuantaSeal will use AES-256-GCM software wrapping with your supplied master key instead of AWS KMS.
SMTP relay instead of Resend
Set EMAIL_PROVIDER=smtp and configure SMTP_HOST/PORT/USER/PASS to route email through your internal mail server.
Does Private Cloud require an internet connection?
No. For fully air-gapped deployments: pre-pull Docker images to a private registry, disable Sentry/OTEL in values-private.yaml, and use a local SMTP relay instead of Resend. Stripe webhooks can be skipped by setting STRIPE_SKIP_WEBHOOK_VERIFY=true (only for air-gapped tenants with manual provisioning).
Can I use my own encryption keys without AWS KMS?
Yes. Set KMS_PROVIDER=local in your .env or Helm values. In local mode, QuantaSeal uses a software-based key wrapping layer (AES-256-GCM with your provided master key) instead of calling AWS KMS. For HSM-backed deployments, the PKCS#11 provider is available — contact sales.
What are the minimum hardware requirements?
Docker Compose (single host): 4 vCPU / 8 GB RAM / 50 GB SSD. Kubernetes HA: 3 nodes × 4 vCPU / 8 GB RAM, plus persistent volumes for PostgreSQL and Redis. For high-throughput PQC encryption (ML-KEM-768) we recommend 8+ vCPU per API replica.
How do I upgrade to a new version?
Helm: helm upgrade quantaseal ./quantashield -f values-private.yaml -f values-secrets.yaml --atomic. Docker Compose: git pull && docker compose pull && docker compose up -d --build && docker exec quantaseal-backend alembic upgrade head. Always test in a staging environment first.
Is the Helm chart production-grade or just a demo?
Production-grade. The chart ships with HPA, PodDisruptionBudgets, topology spread constraints (zone-aware), liveness/readiness probes, NetworkPolicies, RBAC, and Prometheus ServiceMonitors. It's the same chart used for our managed SaaS.
Our team provides white-glove onboarding for Private Cloud deployments — from architecture review to go-live. Contact sales to discuss your requirements and pricing.