HashiCorp Vault — Post-Quantum Cryptography Analysis
HashiCorp Vault uses AES-GCM-256 for data encryption at rest (quantum-safe) but relies on RSA and ECDSA for transit secrets and PKI operations. The Transit secrets engine defaults to RSA-2048 and ECDSA-P256 for key generation — both quantum-vulnerable. The auto-unseal mechanism using cloud KMS (AWS KMS, GCP Cloud KMS) inherits the quantum posture of those services.
Findings
RSA-2048 (transit engine default)builtin/logical/transit/path_keys.goDefault key type for RSA operations. Breaking RSA-2048 requires ~4000 logical qubits — within 10-15 year horizon.
ECDSA P-256 / P-384builtin/logical/pki/ca_util.goPKI secrets engine creates ECDSA certificates by default. Quantum-vulnerable for all digital signature operations.
RSA-4096 (PKI)builtin/logical/pki/path_roles.goLarger key provides more classical security but still broken by quantum Shor's in hours.
ECDH (Shamir shares transport)vault/seal.goKey shares transported using ECDH. Quantum attacker with recorded shares can reconstruct unsealed key.
Compliance note
Vault stores the most sensitive secrets in your infrastructure. The 73/100 score reflects that data at rest is protected by AES-256, but PKI certificates and transit keys are quantum-vulnerable. Certificates issued today with 5+ year validity are at risk.
Is your codebase using any of these algorithms?
QuantumScan checks your repo in ~90 seconds. Free. No account needed. Supports GitHub, GitLab, Bitbucket, and ZIP uploads.
Run a free scan →