Quantum Shield

Configuration Guide

Getting Started

Lastwall's Quantum Shield is distributed as an AMI in the AWS Marketplace. To use Quantum Shield, the Quantum Shield AMI needs to be deployed into EC2 in your AWS account. The AMI is based on Amazon Linux 2023 with Quantum Shield installed as the nginx service.


Quantum Shield is nginx compatible which means that for the most part, it can be used just like a normal nginx installation on Amazon Linux 2023. The process is managed by the same nginx service unit in systemd (sudo systemctl restart nginx.service) and configuration is managed the same as nginx on Amazon Linux (/etc/nginx/nginx.conf and /etc/nginx/conf.d/default.conf). The public nginx configuration documentation can be found at https://nginx.org/en/docs.


The initial configuration creates a self signed certificate to enable the ssl listener on port 443 by default with post-quantum encryption available.

Differences between NGINX

While Quantum Shield works like nginx for the most part, there are some known limitations when compared to nginx:

  • The ssl_engine configuration directive is not supported.
  • The ssl_ecdh_curve configuration directive uses a different set of names for the algorithms. See configuration section below for a list of available options.

Configuration

There is a default configuration loaded with the AMI to give an example of how to configure Quantum Shield to use post-quantum resistant encryption located at /etc/nginx/conf.d/default.conf.


After any configuration change is made, Quantum Shield needs to be reloaded in order to pick up the configuration updates. This can be done by issuing the sudo systemctl reload nginx.service command.


If the Quantum Shield process gets stopped for any reason, the process can be restarted with: sudo systemctl restart nginx.service.


ssl_ecdh_curve

The ssl_ecdh_curve directive accepts a different set of algorithm names than a normal nginx installation but still takes a colon (:) separated list. Below is a list of popular curve names that are accepted:

  • X25519Kyber768Draft00
  • X25519
  • P-521
  • P-384
  • P-256
  • P-224

The default for this directive when not specified is X25519:P-256 which will not use post-quantum resistant encryption.