AnkaSecure SDK — Integration Flows
The SDK ships with 34 runnable reference flows that demonstrate, line by line, how to solve the most common (and a few advanced) cryptographic tasks with AnkaSecure:
- classical → post-quantum migration
- detached-stream processing of multi-gigabyte files
- key-life-cycle automation, immediate rotation, RFC 7396 merge-patches
- public-key utilities that never persist material server-side
Each flow lives in its own Markdown file containing copy-paste-ready Java code — no stubs, no ellipsis.
How to use the flows
- Choose a scenario from the table below.
- Click “View Code” to open the standalone
.mdthat contains the full Java class (it has amainmethod). - Compile & run with your
cli.propertiesor adapt snippets into your project.
Need the bigger picture ? * SDK Overview — architecture & design goals * SDK Usage Guide — setup, authentication, and basic operations
Integration flows catalogue
| # | Flow name | When to use / Typical scenario | Code |
|---|---|---|---|
| 1 | Asymmetric Encrypt / Decrypt (Streaming) | Encrypt & decrypt GB-scale files with a freshly-generated post-quantum key. | View Code |
| 2 | Detached-JWS Sign / Verify (Streaming) | Protect log archives or binaries during CI — signature is produced & verified while the file streams. | View Code |
| 3 | Symmetric Encrypt / Decrypt (Streaming) | Fast, memory-flat encryption of big data sets with AES-256 when no public-key exchange is required. | View Code |
| 4 | Asymmetric Re-encrypt (Streaming) | Lift existing RSA ciphertext to ML-KEM without ever touching plaintext (zero-exposure migration). | View Code |
| 5 | ML-KEM-512 Encrypt / Decrypt (Compact) | Quick in-memory demo — Ideal for unit tests or small payload micro-services. | View Code |
| 6 | ML-DSA-87 Sign / Verify (Compact) | Post-quantum signing of configuration files or JSON messages below 5 MiB. | View Code |
| 7 | AES-256 Encrypt / Decrypt (Compact) | Lightweight symmetric encryption for secrets or tokens stored in DB fields. | View Code |
| 8 | EC-521 → ML-KEM-768 Re-encrypt (Compact) | Point-in-time upgrade of legacy EC KEM to PQC for small messages. | View Code |
| 9 | RSA-2048 → ML-DSA-65 Re-sign (Compact) | Replace classical signatures on JSON/JWT artefacts with post-quantum equivalents. | View Code |
| 10 | Public-Key Utility — Encrypt & Decrypt | Encrypt client-side with an exported ML-KEM-1024 public key; decrypt server-side — no key import needed. | View Code |
| 11 | Public-Key Utility — Sign & Verify | Produce a server-side ML-DSA-87 signature and verify locally to audit trust boundaries. | View Code |
| 12 | Stream Re-sign (RSA-2048 → Falcon-1024) | Large-file signature upgrade without full buffering — perfect for media or VM images. | View Code |
| 13 | PKCS#12 Import & Hybrid Crypto | On-board legacy CA keys, then use them for both signing and encryption in a single workflow. | View Code |
| 14 | Key-Lifecycle Walk-through | End-to-end life-cycle: generate → export → revoke → reuse | View Code |
| 15 | ML-DSA-87 Sign / Verify (Streaming) | High-throughput post-quantum signing when the artefact doesn’t fit in RAM. | View Code |
| 16 | ML-KEM-1024 Encrypt / Decrypt (Streaming) | Archive-grade (≥ 30 year) encryption for huge backups — CEK wrapped with ML-KEM-1024. | View Code |
| 17 | Immediate Key Rotation & Metadata Probe | Generate key A, rotate to key B in one call, verify the chain links via exported metadata. | View Code |
| 18 | Dynamic Limit / Lifetime Patch (AES-256) | Demonstrates RFC 7396 merge-patch to raise usage caps and extend expiry without downtime. | View Code |
| 19 | Supported-Algorithm Discovery Smoke-Test | Programmatically list RECOMMENDED algorithms, pick one, then run encrypt + sign round-trips. | View Code |
| 20 | In-memory JWE/JWS Quick-start | 100-line reference that combines compact encrypt + sign + verify for small payload automation. | View Code |
| 21 | Compact-token Rotation (Re-encrypt) | Rotate compact JWEs in bulk (old → new kid) when payloads are already under 5 MiB. | View Code |
| 22 | Detached-JWS Stream Verification | Continuous integrity scan of object-storage buckets — verify signatures as objects stream in. | View Code |
| 23 | RSA-2048 → ML-KEM-768 Immediate Rotation | One-call rotation between heterogeneous algorithms, showing automatic compatibility checks. | View Code |
| 24 | Sign-Then-Encrypt Nested Operations | Authenticated encryption combining ML-DSA-65 signature + ML-KEM-768 encryption (JWE(JWS) pattern). | View Code |
| 25 | External Key Interoperability | Encrypt & verify signatures using partner public keys without keystore import (B2B integration). | View Code |
| 26 | PKCS#7 to JOSE Migration | Migrate legacy PKCS#7 SignedAndEnvelopedData to modern JOSE (JWE) with post-quantum upgrade. | View Code |
| 27 | Key Lifecycle with Revocation | Complete lifecycle from ACTIVE → REVOKED with usage tracking and revocation enforcement. | View Code |
| 28 | Export and Share Public Keys | B2B secure communication workflow with public key distribution and fingerprint verification. | View Code |
| 29 | Composite Hybrid Keys (Quantum-Resistant) | Combine classical + PQC algorithms for defense-in-depth security (NIST CSWP 39, GSA PQC, Executive Order 14144 compliance). | View Code |
| 30 | Regulatory Compliance Templates | Create composite keys meeting specific regulatory requirements (BSI, ANSSI, ETSI, EU, NIST, ENISA). Ideal for regulated industries (finance, healthcare, defense) requiring documented PQC compliance. | View Code |
| 31 | Security Level Matching | Validate composite key components meet NIST security levels (Level 3 or 5). Enforces consistent strength across hybrid cryptographic schemes. Prevents mismatched algorithm combinations. | View Code |
| 32 | KDF Comparison | Compare Key Derivation Functions (HKDF-SHA256/512, KMAC256, CatKDF, CasKDF) for composite keys. Choose based on performance, compliance, and security requirements. | View Code |
| 33 | Composite Key Builder API | Demonstrates 4 builder approaches: manual construction, preset builder, compliance templates, one-liner methods. Reduces boilerplate for common composite key configurations. | View Code |
| 34 | Composite Key Rotation (HYBRID_KEM_COMBINE) | Rotate quantum-resistant composite keys maintaining mode and algorithms. Zero-downtime rotation with audit trail. Compliance-driven key refresh for HNDR protection. | View Code |
Composite Key Flows (29-34): Flows 29-34 demonstrate composite hybrid keys combining classical and post-quantum algorithms for quantum-resistant security. These flows cover HYBRID_KEM_COMBINE encryption (24 combinations) and DUALSIGN signatures (11 combinations), supporting 35 validated composite pairings across NIST FIPS 203/204 and ETSI standards.
Running the examples
- Provide credentials — ensure
cli.propertiesis available or pass-Dcli.config=/path/to/cli.properties. - Open the flow you’re interested in and compile the Java class.
- Execute — every class has a ready-to-run
main. - Inspect artefacts & console output to see keys, ciphertext, signatures, warnings, and metadata envelopes.
Need the CLI instead of Java?
The AnkaSecure Crypto CLI provides 40 commands covering all operations demonstrated in these flows and more. See the complete CLI Commands Reference for command-line usage.
Conclusion
These integration flows are production-grade blueprints that make it trivial to:
- adopt post-quantum algorithms,
- stream-encrypt multi-terabyte data sets,
- rotate keys or signatures without exposing plaintext,
- and enforce life-cycle policy in minutes rather than weeks.
For deeper dives read SDK Usage Guide and SDK Overview or contact [email protected].
© 2025 ANKATech Solutions INC — All rights reserved.