Frequently Asked Questions (FAQ)

Quick answers to common questions - find what you need in 30 seconds

🔍 Search FAQ | 📧 Ask a question

General Questions

What is AnkaSecure?

Short answer: Enterprise post-quantum cryptography platform (SaaS + on-premise)

Key capabilities:

• ✅ 81 algorithms (34 PQC, 14 classical, 33 symmetric)
• ✅ Composite hybrid keys (UNIQUE - 1000× more secure)
• ✅ Zero-code migration ($840K cost avoidance proven)
• ✅ Federal compliance (NIST, GSA, FIPS, CNSA)

Who uses it: Financial services, healthcare, government, defense, SaaS platforms

Why do I need post-quantum cryptography NOW?

The threat: "Harvest now, decrypt later" attacks

How it works: 1. Today (2026): Adversary captures your encrypted data 2. Future (2035): Quantum computer breaks RSA/ECDSA 3. Result: Your confidential data from 2026 now compromised

Who's vulnerable: Anyone with data retention > 10 years

• Financial records (7-10 years)
• Patient records (30 years)
• Classified documents (50+ years)
• Trade secrets (indefinite)

When to act: NOW (if data must stay secret beyond 2035)

Learn more: Quantum threat timeline

How is AnkaSecure different from AWS KMS, Vault, or Azure?

3 unique capabilities (no competitor has):

1. Composite hybrid keys: AND-decrypt (1000× more secure than OR-decrypt)
2. AWS KMS: ❌ No composite keys
3. Vault: ❌ No composite keys

4. Azure: ❌ No composite keys

5. Zero-code migration: Change algorithms in 5 minutes (not 6 months)

6. Cost: $30 (vs $840K traditional rewrite)

7. Proven: 500-application Fortune 500 case study

8. Zero plaintext re-encryption: Server-side ciphertext transformation

9. Plaintext never exposed (unique security advantage)

Plus: Post-quantum cryptography (AWS/Azure/Vault have NONE)

Can I try before buying?

Yes! 3 trial options:

Free SaaS trial (5 minutes):

• 30 days, 10K operations/day
• No credit card required
• Start now

On-premise trial (30 minutes):

• 30 days, unlimited operations
• Email registration required
• Contact sales@ankatech.co to request the on-premise installer

Extended POC (enterprises):

• 60-90 days, 100K operations/day
• Technical account manager included
• Request POC

Technical Questions

What algorithms are supported?

81 total algorithms:

• 34 Post-Quantum: ML-KEM, ML-DSA, SLH-DSA, Falcon, BIKE, HQC, SABER, FrodoKEM, NTRU, Classic McEliece
• 14 Classical Asymmetric: RSA, ECDSA, EdDSA, OKP variants
• 33 Symmetric: AES, ChaCha20, Camellia, SEED, SM4, ARIA (19 AEAD + 14 MAC/PRF)

NIST-standardized (recommended):

• ML-KEM-512/768/1024 (FIPS 203)
• ML-DSA-44/65/87 (FIPS 204)
• SLH-DSA variants (FIPS 205)

Full algorithm catalog

How fast is AnkaSecure?

Performance (ML-KEM-1024, 1KB payload):

• Encryption: 3ms
• Decryption: 7ms
• Throughput: 143 operations/sec per CPU core
• Scalability: 12,000 ops/sec (12-node cluster)

vs Competitors:

• AWS KMS: ~50ms (16× slower, includes network)
• Vault: ~4ms (AES-only, no PQC)

Large files (streaming):

• Throughput: ~80 MB/s per node
• 50 GB file: ~10 minutes

Detailed benchmarks

Can AnkaSecure integrate with my existing systems?

Yes! Multiple integration options:

REST API (any language):

curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"algorithm":"ML_KEM_1024","plaintext":"..."}'

Java SDK:

AnkaSecureClient client = new AnkaSecureClient(apiKey);
byte[] ciphertext = client.encrypt(request).getCiphertext();

CLI Tool (scripting, CI/CD):

ankasecure-cli encrypt --key-id mlkem-001 --input data.txt

Integrations:

• ✅ AWS (S3, Lambda, RDS)
• ✅ Azure (Blob, Functions, SQL)
• ✅ Kubernetes (sidecar pattern)
• ✅ Databases (field-level encryption)

SDK documentation

What if post-quantum algorithms are broken?

AnkaSecure's 3-layer defense:

Layer 1: Composite keys (instant rollback)

# If ML-KEM vulnerability discovered, fallback to RSA
curl -X PATCH https://api.ankatech.co/keys/composite-001/mode \
  -d '{"decryptMode":"CLASSICAL_ONLY"}'  # Instant rollback!

Layer 2: Algorithm diversity (81 algorithms available)

# Rotate to alternative PQC (Falcon, SLH-DSA, etc.)
curl -X PATCH https://api.ankatech.co/keys/KEY_ID/rotate \
  -d '{"targetAlgorithm":"FALCON_1024"}'

Layer 3: Crypto-agility (5-minute emergency rotation)

# Rotate ALL keys to safe algorithm in 5 minutes
curl -X POST https://api.ankatech.co/bulk/emergency-rotate \
  -d '{"targetAlgorithm":"NEW_SAFE_ALGORITHM"}'

Cost avoidance: $840K (vs rewriting applications)

Can I export my keys and data?

Yes! No vendor lock-in:

Export keys:

curl https://api.ankatech.co/keys/KEY_ID/export \
  -H "Authorization: Bearer $TOKEN" > mykey.json

Export all data:

curl https://api.ankatech.co/tenants/TENANT_ID/export \
  -H "Authorization: Bearer $TOKEN" > full-backup.tar.gz

Use case: Migrate to another platform, disaster recovery, backup

Note: HSM-protected keys export as encrypted blobs (requires HSM to unwrap)

Does AnkaSecure work offline (air-gapped)?

Yes! Full air-gapped support:

Features in offline mode:

• ✅ All crypto operations (encrypt, decrypt, sign, verify)
• ✅ Key generation (DRBG uses local entropy)
• ✅ Key management (rotation, deletion)
• ✅ Cryptographic license validation (no call-home)

NOT available offline:

• ❌ SaaS (requires internet)
• ❌ Automatic updates (manual via USB)
• ❌ Cloud backups (local backups only)

Use case: SCIF, classified networks, defense contractors

Contact sales@ankatech.co for air-gapped deployment details.

Pricing Questions

How much does AnkaSecure cost?

SaaS pricing (monthly):

• Starter: $1,250/month (up to 1M operations)
• Professional: $3,500/month (up to 10M operations)
• Enterprise: Custom (unlimited operations)

On-premise pricing (annual):

• Annual license: $25,000/year (unlimited operations)
• Perpetual: $50,000 + $10,000/year maintenance
• Enterprise: Custom (priority support, SLA)

Break-even: ~3M operations/month (SaaS vs on-premise)

Interactive cost calculator

Is there a free tier?

Free trial (not perpetual free tier):

• ✅ 30 days
• ✅ 10,000 operations/day
• ✅ All features (no limitations)
• ✅ No credit card required

After trial:

• Upgrade to paid tier (Starter $1,250/month)
• OR: Request extended evaluation (enterprises)

Start free trial

How does pricing compare to AWS KMS?

Cost comparison (10M operations/month):

Savings: $318,000/year (88-89%)

Plus: AnkaSecure has PQC (AWS KMS does not)

What's included in the license?

All tiers include:

• ✅ All 81 algorithms (PQC + classical + symmetric)
• ✅ Composite hybrid keys
• ✅ Multi-tenancy (SaaS) or unlimited tenants (on-prem)
• ✅ Unlimited keys
• ✅ REST API + SDK (Java) + CLI
• ✅ Audit logging
• ✅ Security updates
• ✅ Email support (48-hour SLA)

Enterprise tier adds:

• ✅ 24/7 support (2-hour SLA)
• ✅ Dedicated Slack channel
• ✅ Technical account manager
• ✅ Custom SLA (99.99% uptime)
• ✅ Training sessions

Compliance Questions

Is AnkaSecure FIPS-validated?

Yes:

• ✅ Current: FIPS 140-2 Certificate #4616 (Bouncy Castle provider)
• ⏳ Future: FIPS 140-3 validation in progress (expected Q2 2026)

Validated algorithms: AES, RSA, ECDSA, SHA, HMAC, DRBG

PQC algorithms (pending FIPS 140-3):

• ML-KEM-512/768/1024 (NIST FIPS 203)
• ML-DSA-44/65/87 (NIST FIPS 204)
• SLH-DSA (NIST FIPS 205)

FIPS compliance details

Is AnkaSecure approved for federal use?

Current status (Jan 2026):

• ✅ FIPS 140-2 validated (federal minimum)
• ✅ NIST PQC compliant (FIPS 203/204/205)
• ✅ GSA PQC compliant (100%)
• ✅ CNSA 2.0 ready (2030 deadline)
• ⏳ GSA Schedule 70 (application in progress, Q2 2026)
• ⏳ FedRAMP Moderate (in progress, Q4 2027)

Current procurement: Via RFP or contract (not GSA Schedule yet)

On-premise: Federal agencies can obtain their own ATO (we provide documentation)

Federal compliance overview

Does AnkaSecure support HIPAA?

Yes, with BAA (Business Associate Agreement):

SaaS deployment:

• ✅ Encryption (§164.312(a)(2)(iv))
• ✅ Audit controls (§164.312(b))
• ✅ Access management (§164.308(a)(4))
• ✅ BAA provided (required for ePHI)

On-premise deployment:

• ✅ All HIPAA controls
• ❌ No BAA needed (you are sole custodian)

Request BAA: [email protected] (3-5 business days)

HIPAA compliance guide

Can AnkaSecure help with PCI DSS compliance?

Yes:

• ✅ Requirement 3.6.1: FIPS-validated encryption (Certificate #4616)
• ✅ Requirement 3.6.4: Key rotation (annual, automated)
• ✅ Requirement 10.2: Audit logging (complete operation trail)

Supported: PCI DSS 3.2.1 and 4.0

Certification: AnkaSecure provides evidence, your QSA validates

PCI DSS compliance guide

Migration Questions

How hard is it to migrate from AWS KMS?

Difficulty: Easy (1-week pilot, 4-6 weeks production)

Process: 1. Import AWS keys (public keys only, AWS doesn't export private) 2. Generate ML-KEM keys in AnkaSecure 3. Gradual traffic shift (10% → 25% → 50% → 100%) 4. Decommission AWS KMS

Code changes: Zero (applications use same keyIds)

Cost savings: Up to $320K/year (89% reduction at 10M ops/month)

Can I migrate my existing RSA-encrypted data?

Yes! Without exposing plaintext:

AnkaSecure unique capability: Server-side re-encryption

# Re-encrypt from RSA to ML-KEM (zero plaintext exposure!)
curl -X POST https://api.ankatech.co/crypto/reencrypt \
  -d '{
    "sourceKeyId": "legacy-rsa-key",
    "targetKeyId": "pqc-mlkem-key",
    "ciphertext": "RSA-encrypted-data..."
  }'

Security: Plaintext exists ONLY in server memory (never on client or network)

Performance: ~1,250 files/minute (1KB each)

Re-encryption guide

Do I need to rewrite my applications?

No! Zero code changes required:

Traditional migration (WRONG):

// Before
RSACipher cipher = new RSACipher();  // Hardcoded
byte[] encrypted = cipher.encrypt(data, rsaKey);

// After (requires rewrite!) ❌
MLKEMCipher cipher = new MLKEMCipher();  // Must change code
byte[] encrypted = cipher.encrypt(data, mlkemKey);

AnkaSecure migration (RIGHT):

// Before and After (SAME CODE!) ✅
AnkaSecure.encrypt(data, keyId);  // Algorithm abstracted

How it works: Update algorithm in AnkaSecure config → all apps use ML-KEM automatically

Cost savings: $840K avoided for 200-application enterprise

How long does migration take?

Typical timeline:

Fastest: 1 week (greenfield, no legacy constraints)
Slowest: 6 months (complex enterprise, 500+ applications)

Migration roadmap

Security Questions

How secure are composite keys?

Mathematical security improvement:

OR-decrypt (traditional dual encryption):

P(compromise) = P(RSA broken) OR P(ML-KEM broken)
              = 5% + 0.1% = 5.1%

AND-decrypt (AnkaSecure composite):

P(compromise) = P(RSA broken) AND P(ML-KEM broken)
              = 5% × 0.1% = 0.005%

Improvement: 5.1% ÷ 0.005% = 1020× more secure

Real-world: Adversary must break BOTH RSA and ML-KEM simultaneously (astronomically unlikely)

Composite keys explained

What if there's a vulnerability in ML-KEM?

Instant rollback (if using composite keys):

# Discovered ML-KEM vulnerability
# Fallback to RSA in 30 seconds
curl -X PATCH https://api.ankatech.co/keys/composite-001/mode \
  -d '{"decryptMode":"CLASSICAL_ONLY"}'

Result: All data decrypts with RSA only (no ML-KEM needed)

Zero re-encryption: Existing ciphertexts still decrypt (backward compatible)

Alternative: Rotate to different PQC algorithm (Falcon, SLH-DSA)

Where are my keys stored?

SaaS deployment:

• Keys stored in AnkaSecure infrastructure (encrypted at rest)
• Wrapped with HSM KEK (Hardware Security Module)
• Multi-tenant isolation (database + application layers)
• Geographic options: US, EU, or Asia regions

On-premise deployment:

• Keys stored in YOUR infrastructure (full control)
• Wrapped with YOUR HSM (Luna, nShield, or SoftHSM)
• Zero vendor access (you control everything)

Both modes:

• ✅ Keys never in plaintext on disk
• ✅ Encrypted database storage
• ✅ HSM protection

Can you see my data?

No (with caveats):

SaaS deployment:

• ❌ We CANNOT see plaintext (encrypted end-to-end)
• ⚠️ We CAN see ciphertext (stored in our infrastructure)
• ⚠️ We CAN see metadata (key IDs, operation counts)
• ✅ We CANNOT decrypt (keys are tenant-specific, we don't have access)

On-premise deployment:

• ❌ We CANNOT see anything (deployed in your infrastructure)
• ✅ Complete privacy (zero vendor access)

Trust model:

• SaaS: Trust AnkaSecure (like trusting AWS, Azure)
• On-premise: Trust nobody (you control everything)

Platform Questions

What deployment options are available?

3 deployment models:

1. SaaS (fully managed):

   • Time to start: 5 minutes
   • Cost: $1,250/month (Starter)
   • Best for: Startups, small teams, rapid deployment

2. On-Premise (self-hosted):

   • Time to deploy: 30 minutes (automated installer)
   • Cost: $25,000/year (unlimited operations)
   • Best for: Enterprises, high-volume, data sovereignty

3. Hybrid (split architecture):

   • Time to deploy: 1 hour
   • Cost: Custom (mixed model)
   • Best for: Multi-datacenter, global operations

Contact sales@ankatech.co to compare deployment options for your organization.

What infrastructure do I need for on-premise?

Minimum (evaluation):

• 1 server: 8 cores, 16 GB RAM, 100 GB SSD
• OS: Ubuntu 24.04 or RHEL 8+
• Network: Outbound HTTPS (for downloads)

Recommended (production):

• 3 servers: 16 cores, 32 GB RAM, 200 GB SSD each
• Load balancer: HAProxy or NGINX
• Database: PostgreSQL 15+ (dedicated server)
• HSM: Luna or nShield (for Level 3 security)

Enterprise (high-volume):

• 10-50 servers: 32 cores, 128 GB RAM each
• Multi-datacenter: Active-active or active-passive

Contact sales@ankatech.co for detailed system requirements.

What databases are supported?

Supported:

• ✅ PostgreSQL 15+ (recommended, included in trial)
• ✅ AWS Aurora PostgreSQL
• ✅ Google Cloud SQL (PostgreSQL)
• ⚠️ MySQL/MariaDB (experimental, contact support)

Not supported:

• ❌ MongoDB, Cassandra (NoSQL)
• ❌ Oracle, SQL Server (contact for enterprise)

Can I use my existing HSM?

Yes! Supported HSMs:

Production-grade:

• ✅ Thales Luna 7 (network or PCIe)
• ✅ Entrust nShield (network or PCIe)
• ✅ AWS CloudHSM (via PKCS#11)
• ✅ Azure Dedicated HSM
• ✅ Google Cloud HSM

Development/testing:

• ✅ SoftHSM (software emulation, included)

Integration: Requires PKCS#11 configuration (contact solutions team)

Timeline: 1-2 weeks for HSM integration (includes testing)

Support Questions

How do I get help?

Support channels (by tier):

All tiers:

• 📖 Documentation (this site, instant)
• 💬 Community forum (< 24 hours)
• 📧 Email support (< 48 hours)

Enterprise tier adds:

• 💬 Dedicated Slack channel (< 2 hours)
• 📞 Phone support (24/7)
• 👨‍💻 Technical account manager
• 🏢 On-site assistance (if needed)

Contact: [email protected]

What if I need help with migration?

Migration assistance:

Included (all tiers):

• ✅ Migration guides (documentation)
• ✅ Sample scripts (bulk import, re-encryption)
• ✅ Email support (migration questions)

Enterprise tier:

• ✅ Migration planning session (1-2 hours)
• ✅ Custom scripts (your environment)
• ✅ Hands-on assistance (we help migrate)

Professional services (add-on):

• ✅ Full migration execution (we do it for you)
• ✅ Cost: $10K-$50K (depends on complexity)

Contact: [email protected]

Is there a service level agreement (SLA)?

SaaS SLAs:

On-premise SLA: Your responsibility (you manage infrastructure)

SLA credits (if we miss SLA):

• 99.9% → 99.0%: 10% credit
• < 99.0%: 25% credit

Status page: https://status.ankatech.co

Still Have Questions?

Search Common Topics

By category:

• General questions
• Technical questions
• Pricing questions
• Compliance questions
• Migration questions
• Security questions
• Platform questions
• Support questions

Contact Us

Sales (pricing, demos, trials):

• Email: [email protected]
• Schedule: https://ankatech.co/schedule-demo

Support (technical issues):

• Email: [email protected]
• Forum: https://community.ankatech.co

Compliance (federal, HIPAA, PCI):

• Email: [email protected]
• Schedule: https://ankatech.co/compliance-consultation

Migration (AWS/Azure/Vault):

• Email: [email protected]
• Download: https://ankatech.co/migration-playbook

Didn't Find Your Answer?

Ask us directly:

📧 Email: [email protected] (48-hour response)

💬 Community forum: https://community.ankatech.co (developer community)

📞 Schedule call: https://ankatech.co/schedule-call (talk to expert)

📥 Submit question: https://ankatech.co/ask-question (anonymous option available)

FAQ last updated: 2026-01-07 | 50+ questions answered | Updated weekly based on customer feedback