Frequently Asked Questions (FAQ)

Quick answers to common questions - find what you need in 30 seconds

🔍 Search FAQ | 📧 Ask a question

General Questions

What is AnkaSecure?

Short answer: Enterprise post-quantum cryptography platform (SaaS + on-premise)

Key capabilities: - ✅ 81 algorithms (34 PQC, 14 classical, 33 symmetric) - ✅ Composite hybrid keys (UNIQUE - 1000× more secure) - ✅ Zero-code migration ($840K cost avoidance proven) - ✅ Federal compliance (NIST, GSA, FIPS, CNSA)

Who uses it: Financial services, healthcare, government, defense, SaaS platforms

Learn more: Why AnkaSecure

Why do I need post-quantum cryptography NOW?

The threat: "Harvest now, decrypt later" attacks

How it works: 1. Today (2026): Adversary captures your encrypted data 2. Future (2035): Quantum computer breaks RSA/ECDSA 3. Result: Your confidential data from 2026 now compromised

Who's vulnerable: Anyone with data retention > 10 years - Financial records (7-10 years) - Patient records (30 years) - Classified documents (50+ years) - Trade secrets (indefinite)

When to act: NOW (if data must stay secret beyond 2035)

Learn more: Quantum threat timeline

How is AnkaSecure different from AWS KMS, Vault, or Azure?

3 unique capabilities (no competitor has):

1. Composite hybrid keys: AND-decrypt (1000× more secure than OR-decrypt)
2. AWS KMS: ❌ No composite keys
3. Vault: ❌ No composite keys

4. Azure: ❌ No composite keys

5. Zero-code migration: Change algorithms in 5 minutes (not 6 months)

6. Cost: $30 (vs $840K traditional rewrite)

7. Proven: 500-application Fortune 500 case study

8. Zero plaintext re-encryption: Server-side ciphertext transformation

9. Plaintext never exposed (unique security advantage)

Plus: Post-quantum cryptography (AWS/Azure/Vault have NONE)

Detailed comparisons: vs AWS | vs Vault | vs Azure

Can I try before buying?

Yes! 3 trial options:

Free SaaS trial (5 minutes): - 30 days, 10K operations/day - No credit card required - Start now

On-premise trial (30 minutes): - 30 days, unlimited operations - Email registration required - Request installer

Extended POC (enterprises): - 60-90 days, 100K operations/day - Technical account manager included - Request POC

Technical Questions

What algorithms are supported?

81 total algorithms: - 34 Post-Quantum: ML-KEM, ML-DSA, SLH-DSA, Falcon, BIKE, HQC, SABER, FrodoKEM, NTRU, Classic McEliece - 14 Classical Asymmetric: RSA, ECDSA, EdDSA, OKP variants - 33 Symmetric: AES, ChaCha20, Camellia, SEED, SM4, ARIA (19 AEAD + 14 MAC/PRF)

NIST-standardized (recommended): - ML-KEM-512/768/1024 (FIPS 203) - ML-DSA-44/65/87 (FIPS 204) - SLH-DSA variants (FIPS 205)

Full algorithm catalog

How fast is AnkaSecure?

Performance (ML-KEM-1024, 1KB payload): - Encryption: 3ms - Decryption: 7ms - Throughput: 143 operations/sec per CPU core - Scalability: 12,000 ops/sec (12-node cluster)

vs Competitors: - AWS KMS: ~50ms (16× slower, includes network) - Vault: ~4ms (AES-only, no PQC)

Large files (streaming): - Throughput: ~80 MB/s per node - 50 GB file: ~10 minutes

Detailed benchmarks

Can AnkaSecure integrate with my existing systems?

Yes! Multiple integration options:

REST API (any language):

curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"algorithm":"ML_KEM_1024","plaintext":"..."}'

Java SDK:

AnkaSecureClient client = new AnkaSecureClient(apiKey);
byte[] ciphertext = client.encrypt(request).getCiphertext();

CLI Tool (scripting, CI/CD):

ankasecure-cli encrypt --key-id mlkem-001 --input data.txt

Integrations: - ✅ AWS (S3, Lambda, RDS) - ✅ Azure (Blob, Functions, SQL) - ✅ Kubernetes (sidecar pattern) - ✅ Databases (field-level encryption)

SDK documentation

What if post-quantum algorithms are broken?

AnkaSecure's 3-layer defense:

Layer 1: Composite keys (instant rollback)

# If ML-KEM vulnerability discovered, fallback to RSA
curl -X PATCH https://api.ankatech.co/keys/composite-001/mode \
  -d '{"decryptMode":"CLASSICAL_ONLY"}'  # Instant rollback!

Layer 2: Algorithm diversity (81 algorithms available)

# Rotate to alternative PQC (Falcon, SLH-DSA, etc.)
curl -X PATCH https://api.ankatech.co/keys/KEY_ID/rotate \
  -d '{"targetAlgorithm":"FALCON_1024"}'

Layer 3: Crypto-agility (5-minute emergency rotation)

# Rotate ALL keys to safe algorithm in 5 minutes
curl -X POST https://api.ankatech.co/bulk/emergency-rotate \
  -d '{"targetAlgorithm":"NEW_SAFE_ALGORITHM"}'

Cost avoidance: $840K (vs rewriting applications)

Can I export my keys and data?

Yes! No vendor lock-in:

Export keys:

curl https://api.ankatech.co/keys/KEY_ID/export \
  -H "Authorization: Bearer $TOKEN" > mykey.json

Export all data:

curl https://api.ankatech.co/tenants/TENANT_ID/export \
  -H "Authorization: Bearer $TOKEN" > full-backup.tar.gz

Use case: Migrate to another platform, disaster recovery, backup

Note: HSM-protected keys export as encrypted blobs (requires HSM to unwrap)

Does AnkaSecure work offline (air-gapped)?

Yes! Full air-gapped support:

Features in offline mode: - ✅ All crypto operations (encrypt, decrypt, sign, verify) - ✅ Key generation (DRBG uses local entropy) - ✅ Key management (rotation, deletion) - ✅ Cryptographic license validation (no call-home)

NOT available offline: - ❌ SaaS (requires internet) - ❌ Automatic updates (manual via USB) - ❌ Cloud backups (local backups only)

Use case: SCIF, classified networks, defense contractors

Air-gapped deployment guide

Pricing Questions

How much does AnkaSecure cost?

SaaS pricing (monthly): - Starter: $1,250/month (up to 1M operations) - Professional: $3,500/month (up to 10M operations) - Enterprise: Custom (unlimited operations)

On-premise pricing (annual): - Annual license: $25,000/year (unlimited operations) - Perpetual: $50,000 + $10,000/year maintenance - Enterprise: Custom (priority support, SLA)

Break-even: ~3M operations/month (SaaS vs on-premise)

Interactive cost calculator

Is there a free tier?

Free trial (not perpetual free tier): - ✅ 30 days - ✅ 10,000 operations/day - ✅ All features (no limitations) - ✅ No credit card required

After trial: - Upgrade to paid tier (Starter $1,250/month) - OR: Request extended evaluation (enterprises)

Start free trial

How does pricing compare to AWS KMS?

Cost comparison (10M operations/month):

Savings: $318,000/year (88-89%)

Plus: AnkaSecure has PQC (AWS KMS does not)

Detailed comparison: vs AWS KMS

What's included in the license?

All tiers include: - ✅ All 81 algorithms (PQC + classical + symmetric) - ✅ Composite hybrid keys - ✅ Multi-tenancy (SaaS) or unlimited tenants (on-prem) - ✅ Unlimited keys - ✅ REST API + SDK (Java) + CLI - ✅ Audit logging - ✅ Security updates - ✅ Email support (48-hour SLA)

Enterprise tier adds: - ✅ 24/7 support (2-hour SLA) - ✅ Dedicated Slack channel - ✅ Technical account manager - ✅ Custom SLA (99.99% uptime) - ✅ Training sessions

Compliance Questions

Is AnkaSecure FIPS-validated?

Yes: - ✅ Current: FIPS 140-2 Certificate #4616 (Bouncy Castle provider) - ⏳ Future: FIPS 140-3 validation in progress (expected Q2 2026)

Validated algorithms: AES, RSA, ECDSA, SHA, HMAC, DRBG

PQC algorithms (pending FIPS 140-3): - ML-KEM-512/768/1024 (NIST FIPS 203) - ML-DSA-44/65/87 (NIST FIPS 204) - SLH-DSA (NIST FIPS 205)

FIPS compliance details

Is AnkaSecure approved for federal use?

Current status (Jan 2026): - ✅ FIPS 140-2 validated (federal minimum) - ✅ NIST PQC compliant (FIPS 203/204/205) - ✅ GSA PQC compliant (100%) - ✅ CNSA 2.0 ready (2030 deadline) - ⏳ GSA Schedule 70 (application in progress, Q2 2026) - ⏳ FedRAMP Moderate (in progress, Q4 2027)

Current procurement: Via RFP or contract (not GSA Schedule yet)

On-premise: Federal agencies can obtain their own ATO (we provide documentation)

Federal compliance overview

Does AnkaSecure support HIPAA?

Yes, with BAA (Business Associate Agreement):

SaaS deployment: - ✅ Encryption (§164.312(a)(2)(iv)) - ✅ Audit controls (§164.312(b)) - ✅ Access management (§164.308(a)(4)) - ✅ BAA provided (required for ePHI)

On-premise deployment: - ✅ All HIPAA controls - ❌ No BAA needed (you are sole custodian)

Request BAA: [email protected] (3-5 business days)

HIPAA compliance guide

Can AnkaSecure help with PCI DSS compliance?

Yes: - ✅ Requirement 3.6.1: FIPS-validated encryption (Certificate #4616) - ✅ Requirement 3.6.4: Key rotation (annual, automated) - ✅ Requirement 10.2: Audit logging (complete operation trail)

Supported: PCI DSS 3.2.1 and 4.0

Certification: AnkaSecure provides evidence, your QSA validates

PCI DSS compliance guide

Migration Questions

How hard is it to migrate from AWS KMS?

Difficulty: Easy (1-week pilot, 4-6 weeks production)

Process: 1. Import AWS keys (public keys only, AWS doesn't export private) 2. Generate ML-KEM keys in AnkaSecure 3. Gradual traffic shift (10% → 25% → 50% → 100%) 4. Decommission AWS KMS

Code changes: Zero (applications use same keyIds)

Cost savings: Up to $320K/year (89% reduction at 10M ops/month)

AWS migration guide

Can I migrate my existing RSA-encrypted data?

Yes! Without exposing plaintext:

AnkaSecure unique capability: Server-side re-encryption

# Re-encrypt from RSA to ML-KEM (zero plaintext exposure!)
curl -X POST https://api.ankatech.co/crypto/reencrypt \
  -d '{
    "sourceKeyId": "legacy-rsa-key",
    "targetKeyId": "pqc-mlkem-key",
    "ciphertext": "RSA-encrypted-data..."
  }'

Security: Plaintext exists ONLY in server memory (never on client or network)

Performance: ~1,250 files/minute (1KB each)

Re-encryption guide

Do I need to rewrite my applications?

No! Zero code changes required:

Traditional migration (WRONG):

// Before
RSACipher cipher = new RSACipher();  // Hardcoded
byte[] encrypted = cipher.encrypt(data, rsaKey);

// After (requires rewrite!) ❌
MLKEMCipher cipher = new MLKEMCipher();  // Must change code
byte[] encrypted = cipher.encrypt(data, mlkemKey);

AnkaSecure migration (RIGHT):

// Before and After (SAME CODE!) ✅
AnkaSecure.encrypt(data, keyId);  // Algorithm abstracted

How it works: Update algorithm in AnkaSecure config → all apps use ML-KEM automatically

Cost savings: $840K avoided for 200-application enterprise

How long does migration take?

Typical timeline:

Fastest: 1 week (greenfield, no legacy constraints) Slowest: 6 months (complex enterprise, 500+ applications)

Migration roadmap

Security Questions

How secure are composite keys?

Mathematical security improvement:

OR-decrypt (traditional dual encryption):

P(compromise) = P(RSA broken) OR P(ML-KEM broken)
              = 5% + 0.1% = 5.1%

AND-decrypt (AnkaSecure composite):

P(compromise) = P(RSA broken) AND P(ML-KEM broken)
              = 5% × 0.1% = 0.005%

Improvement: 5.1% ÷ 0.005% = 1020× more secure

Real-world: Adversary must break BOTH RSA and ML-KEM simultaneously (astronomically unlikely)

Composite keys explained

What if there's a vulnerability in ML-KEM?

Instant rollback (if using composite keys):

# Discovered ML-KEM vulnerability
# Fallback to RSA in 30 seconds
curl -X PATCH https://api.ankatech.co/keys/composite-001/mode \
  -d '{"decryptMode":"CLASSICAL_ONLY"}'

Result: All data decrypts with RSA only (no ML-KEM needed)

Zero re-encryption: Existing ciphertexts still decrypt (backward compatible)

Alternative: Rotate to different PQC algorithm (Falcon, SLH-DSA)

Where are my keys stored?

SaaS deployment: - Keys stored in AnkaSecure infrastructure (encrypted at rest) - Wrapped with HSM KEK (Hardware Security Module) - Multi-tenant isolation (database + application layers) - Geographic options: US, EU, or Asia regions

On-premise deployment: - Keys stored in YOUR infrastructure (full control) - Wrapped with YOUR HSM (Luna, nShield, or SoftHSM) - Zero vendor access (you control everything)

Both modes: - ✅ Keys never in plaintext on disk - ✅ Encrypted database storage - ✅ HSM protection

Can you see my data?

No (with caveats):

SaaS deployment: - ❌ We CANNOT see plaintext (encrypted end-to-end) - ⚠️ We CAN see ciphertext (stored in our infrastructure) - ⚠️ We CAN see metadata (key IDs, operation counts) - ✅ We CANNOT decrypt (keys are tenant-specific, we don't have access)

On-premise deployment: - ❌ We CANNOT see anything (deployed in your infrastructure) - ✅ Complete privacy (zero vendor access)

Trust model: - SaaS: Trust AnkaSecure (like trusting AWS, Azure) - On-premise: Trust nobody (you control everything)

Platform Questions

What deployment options are available?

3 deployment models:

1. SaaS (fully managed):
2. Time to start: 5 minutes
3. Cost: $1,250/month (Starter)

4. Best for: Startups, small teams, rapid deployment

5. On-Premise (self-hosted):

6. Time to deploy: 30 minutes (automated installer)
7. Cost: $25,000/year (unlimited operations)

8. Best for: Enterprises, high-volume, data sovereignty

9. Hybrid (split architecture):

10. Time to deploy: 1 hour
11. Cost: Custom (mixed model)
12. Best for: Multi-datacenter, global operations

Deployment comparison

What infrastructure do I need for on-premise?

Minimum (evaluation): - 1 server: 8 cores, 16 GB RAM, 100 GB SSD - OS: Ubuntu 24.04 or RHEL 8+ - Network: Outbound HTTPS (for downloads)

Recommended (production): - 3 servers: 16 cores, 32 GB RAM, 200 GB SSD each - Load balancer: HAProxy or NGINX - Database: PostgreSQL 15+ (dedicated server) - HSM: Luna or nShield (for Level 3 security)

Enterprise (high-volume): - 10-50 servers: 32 cores, 128 GB RAM each - Multi-datacenter: Active-active or active-passive

Detailed requirements

What databases are supported?

Supported: - ✅ PostgreSQL 15+ (recommended, included in trial) - ✅ AWS Aurora PostgreSQL - ✅ Google Cloud SQL (PostgreSQL) - ⚠️ MySQL/MariaDB (experimental, contact support)

Not supported: - ❌ MongoDB, Cassandra (NoSQL) - ❌ Oracle, SQL Server (contact for enterprise)

Can I use my existing HSM?

Yes! Supported HSMs:

Production-grade: - ✅ Thales Luna 7 (network or PCIe) - ✅ Entrust nShield (network or PCIe) - ✅ AWS CloudHSM (via PKCS#11) - ✅ Azure Dedicated HSM - ✅ Google Cloud HSM

Development/testing: - ✅ SoftHSM (software emulation, included)

Integration: Requires PKCS#11 configuration (contact solutions team)

Timeline: 1-2 weeks for HSM integration (includes testing)

Support Questions

How do I get help?

Support channels (by tier):

All tiers: - 📖 Documentation (this site, instant) - 💬 Community forum (< 24 hours) - 📧 Email support (< 48 hours)

Enterprise tier adds: - 💬 Dedicated Slack channel (< 2 hours) - 📞 Phone support (24/7) - 👨‍💻 Technical account manager - 🏢 On-site assistance (if needed)

Contact: [email protected]

What if I need help with migration?

Migration assistance:

Included (all tiers): - ✅ Migration guides (documentation) - ✅ Sample scripts (bulk import, re-encryption) - ✅ Email support (migration questions)

Enterprise tier: - ✅ Migration planning session (1-2 hours) - ✅ Custom scripts (your environment) - ✅ Hands-on assistance (we help migrate)

Professional services (add-on): - ✅ Full migration execution (we do it for you) - ✅ Cost: $10K-$50K (depends on complexity)

Contact: [email protected]

Is there a service level agreement (SLA)?

SaaS SLAs:

On-premise SLA: Your responsibility (you manage infrastructure)

SLA credits (if we miss SLA): - 99.9% → 99.0%: 10% credit - < 99.0%: 25% credit

Status page: https://status.ankatech.co

Still Have Questions?

Search Common Topics

By category: - General questions - Technical questions - Pricing questions - Compliance questions - Migration questions - Security questions - Platform questions - Support questions

Contact Us

Sales (pricing, demos, trials): - Email: [email protected] - Schedule: https://ankatech.co/schedule-demo

Support (technical issues): - Email: [email protected] - Forum: https://community.ankatech.co

Compliance (federal, HIPAA, PCI): - Email: [email protected] - Schedule: https://ankatech.co/compliance-consultation

Migration (AWS/Azure/Vault): - Email: [email protected] - Download: https://ankatech.co/migration-playbook

Didn't Find Your Answer?

Ask us directly:

📧 Email: [email protected] (48-hour response)

💬 Community forum: https://community.ankatech.co (developer community)

📞 Schedule call: https://ankatech.co/schedule-call (talk to expert)

📥 Submit question: https://ankatech.co/ask-question (anonymous option available)

FAQ last updated: 2026-01-07 | 50+ questions answered | Updated weekly based on customer feedback