BenchmarksStack Ranking
H33-VaultH33-ShareH33-ShieldH33-HealthH33-KeyH33-128H33-CKKSH33-256H33-FHE-IQFHE OverviewH33-CompileZK LookupsBiometricsH33-3-KeyH33-MPCZK-TrustlessZK-PhishZK-VerifyPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
Post-Quantum Data-at-Rest

Encrypt Everything at Rest
with Post-Quantum Security

Hybrid Kyber+AES-256-GCM encryption for data at rest. Field-level encryption with automatic sensitivity classification, zero-downtime key rotation, and full audit trails. NIST Level 3 security.

Start Encrypting API Reference View Pricing
4
API Endpoints
<1ms
Encrypt Latency
Zero
Downtime Rotation
NIST L3
Security Level
How It Works
Three Steps to Post-Quantum Encryption
Send your data, we classify and encrypt it with hybrid PQ cryptography, then return ciphertext you can store anywhere.
1 Upload

Send Your Data

Submit raw data or structured fields via Base64-encoded API calls. The HybridEncryptor receives your plaintext over TLS and prepares it for post-quantum encryption.

Base64 I/O TLS 1.3 Any Data Type
2 Classify & Encrypt

Kyber+AES-256-GCM

Automatic sensitivity classification detects PII, PHI, and financial data. Each field is encrypted with a Kyber-encapsulated AES-256-GCM key. Sub-millisecond per operation.

ML-KEM (Kyber) AES-256-GCM Auto-Classify
3 Store & Retrieve

Decrypt on Demand

Store ciphertext in your own database, S3, or any backend. Retrieve and decrypt with the key ID at any time. Zero-downtime key rotation re-encrypts without service interruption.

Key ID Tracking Any Storage Audit Trail
Features
Why H33 Storage Encryption
Production-grade post-quantum data-at-rest encryption with field-level granularity and zero-downtime operations.
🔐

Hybrid PQ Encryption

Kyber (ML-KEM) key encapsulation wraps AES-256-GCM symmetric keys. Resistant to both classical and quantum adversaries. NIST FIPS 203 compliant.

📋

Field-Level Encryption

Encrypt individual fields within structured data. SSN, email, medical records, and financial data each get their own encryption envelope. Granular access control per field.

🧠

Sensitivity Classification

Automatic detection of PII, PHI, and financial data. The classifier tags fields as high, medium, or low sensitivity before encryption. No manual annotation required.

🔄

Key Rotation

Zero-downtime key rotation re-encrypts data under a new Kyber key pair without service interruption. Old keys are retired gracefully. Meets compliance rotation schedules.

📦

Base64 I/O

All data in and out is Base64-encoded for safe transport over JSON APIs. Binary, text, images, documents — any payload type supported without escaping issues.

📜

Audit Trail

Every encrypt, decrypt, and rotation operation is logged with timestamps, key IDs, and caller identity. Exportable audit logs for compliance reporting and forensic review.

Use Cases
Built for Regulated Industries
Post-quantum data-at-rest encryption that satisfies the strictest compliance frameworks.
🏥

Healthcare (HIPAA)

Encrypt ePHI at the field level — patient names, SSNs, diagnoses, prescriptions. Automatic PHI detection ensures nothing slips through unencrypted. Audit trails satisfy HIPAA technical safeguard requirements.

HIPAA Compliant
🏦

Financial Services (PCI-DSS)

PAN, CVV, and account numbers encrypted with post-quantum keys. Field-level granularity means only authorized services decrypt specific fields. Key rotation on schedule without downtime.

PCI-DSS Ready
🏛

Government (FedRAMP)

NIST Level 3 post-quantum encryption for classified-adjacent data. ML-KEM (FIPS 203) key encapsulation meets federal cryptographic standards. Full audit trail for FedRAMP continuous monitoring.

NIST FIPS 203
🏢

Enterprise (SOC 2)

Encrypt customer data, API keys, secrets, and internal records at rest. Demonstrate encryption-at-rest controls for SOC 2 (In Progress) audits. Zero-downtime rotation proves operational maturity.

SOC 2 (In Progress)
API Reference
Four Endpoints. Full Encryption Lifecycle.
Encrypt, decrypt, classify fields, and rotate keys — all through simple REST calls with Base64 I/O.
POST /api/storage/encrypt Encrypt arbitrary data (Base64 I/O)
Request
{
  "data": "SGVsbG8gV29ybGQ=",
  "key_id": "k_live_abc123",
  "metadata": {
    "label": "user-record-4821"
  }
}
Response
{
  "ciphertext": "eyJhbGciOiJLeWJl...",
  "key_id": "k_live_abc123",
  "algorithm": "KYBER+AES-256-GCM",
  "nonce": "dGhpcyBpcyBhIG5v...",
  "encrypted_at": "2026-03-04T12:00:00Z"
}
POST /api/storage/decrypt Decrypt data with key ID
Request
{
  "ciphertext": "eyJhbGciOiJLeWJl...",
  "key_id": "k_live_abc123",
  "nonce": "dGhpcyBpcyBhIG5v..."
}
Response
{
  "data": "SGVsbG8gV29ybGQ=",
  "algorithm": "KYBER+AES-256-GCM",
  "decrypted_at": "2026-03-04T12:00:01Z",
  "key_id": "k_live_abc123"
}
POST /api/storage/encrypt-fields Field-level encryption with sensitivity detection
Request
{
  "fields": {
    "name": "Jane Doe",
    "ssn": "123-45-6789",
    "email": "jane@example.com",
    "notes": "Regular checkup"
  },
  "auto_classify": true
}
Response
{
  "encrypted_fields": {
    "name": { "ct": "...", "s": "PII" },
    "ssn": { "ct": "...", "s": "PII_HIGH" },
    "email": { "ct": "...", "s": "PII" },
    "notes": { "ct": "...", "s": "LOW" }
  },
  "key_id": "k_live_abc123",
  "classifications": 4
}
POST /api/storage/rotate Re-encrypt under new key without downtime
Request
{
  "old_key_id": "k_live_abc123",
  "ciphertexts": [
    "eyJhbGciOiJLeWJl...",
    "eyJhbGciOiJLeWJl..."
  ]
}
Response
{
  "new_key_id": "k_live_def456",
  "rotated": 2,
  "ciphertexts": [
    "eyJuZXdLZXkiOiJ...",
    "eyJuZXdLZXkiOiJ..."
  ],
  "old_key_retired": true,
  "rotated_at": "2026-03-04T12:00:02Z"
}
Comparison
H33 vs. Traditional Encryption Services
H33 is the only storage encryption API with post-quantum key encapsulation, automatic field classification, and zero-downtime rotation.
Feature H33 Storage Encryption AWS KMS Azure Always Encrypted Vault Transit
Encryption algorithm Kyber+AES-256-GCM AES-256-GCM AES-256-CBC/GCM AES-256-GCM
Post-quantum ready Yes (ML-KEM FIPS 203) No No No
Field-level encryption Yes (auto-classify) No (blob only) Yes (column only) No (blob only)
Sensitivity classification Automatic (PII/PHI/financial) Manual tagging Manual Manual
Key rotation Zero-downtime re-encrypt Manual re-encrypt Manual re-encrypt Manual
Vendor lock-in None (REST API) AWS only Azure only Self-hosted
Audit trail Per-operation with key ID CloudTrail Activity logs Audit backend
Pricing model Per-unit (credits) Per-request + storage Per-column Self-hosted cost
NIST Level Level 3 (Kyber-768) Level 1 (AES-256) Level 1 (AES-256) Level 1 (AES-256)
FAQ
Frequently Asked Questions
Everything you need to know about H33 Storage Encryption.
What is hybrid post-quantum encryption?
H33 uses ML-KEM (Kyber-768) to encapsulate a symmetric key, which is then used with AES-256-GCM for data encryption. Even if quantum computers break the Kyber layer, the AES layer provides classical security. Even if AES is weakened, the Kyber layer provides lattice-based security.
How does automatic sensitivity classification work?
The classifier scans field names and values for PII patterns (SSN, email, phone), PHI patterns (diagnosis, prescription, patient ID), and financial patterns (PAN, CVV, account number). Fields are tagged high/medium/low before encryption.
What is the encrypt latency?
Sub-millisecond (<1ms) per field encryption. The dominant cost is Kyber key encapsulation (~150µs) plus AES-256-GCM symmetric encryption. Field-level encryption processes each field independently.
Can I encrypt data already stored in my database?
Yes. Use the /api/storage/encrypt endpoint to encrypt existing plaintext. The response includes ciphertext and key_id. Replace the plaintext column with the ciphertext and store the key_id for future decryption.
How does zero-downtime key rotation work?
The /api/storage/rotate endpoint accepts ciphertexts encrypted under the old key and returns them re-encrypted under a new Kyber key pair. The old key is retired. No service interruption required.
What storage backends are supported?
Any. H33 Storage Encryption is storage-agnostic. You encrypt data via the API and store the ciphertext wherever you want: PostgreSQL, MySQL, S3, DynamoDB, Redis, or flat files. The API returns Base64-encoded ciphertext.
Is H33 Storage Encryption FIPS compliant?
The Kyber component follows NIST FIPS 203 (ML-KEM). The AES-256-GCM component follows FIPS 197. Combined, this provides NIST Level 3 post-quantum security. Full FIPS 140-3 module certification is in progress.
Can I encrypt files and binary data?
Yes. All data is handled as Base64-encoded binary. Images, PDFs, documents, database backups — any binary payload can be encrypted. The API treats all data as opaque bytes.
How do I decrypt only specific fields?
Use the /api/storage/encrypt-fields endpoint for field-level encryption. Each field gets its own ciphertext envelope. To decrypt, pass only the fields you need to the decrypt endpoint with their key_ids.
What happens if I lose the key_id?
Each encryption response includes the key_id used. Store this alongside the ciphertext. Without the key_id, decryption requires enumerating all active keys. We recommend storing key_id as a column or metadata field next to every ciphertext.
TECHNICAL DEEP DIVES

Go Deeper

🔑 KYBER
CRYSTALS-Kyber Key Encapsulation
H33 Storage uses Kyber+AES-256-GCM. Learn how ML-KEM protects data at rest against quantum attacks.
Read Full Article →
🗄️ KEY MGMT
Encryption Key Management
Zero-downtime key rotation, auto sensitivity classification, and lifecycle management for encrypted storage.
Read Full Article →
🛡️ THREATS
Harvest Now, Decrypt Later Protection
Data at rest is the #1 HNDL target. Post-quantum storage encryption ensures your archives stay encrypted forever.
Read Full Article →

Start Encrypting. Today.

Get your API key in seconds. Protect every byte at rest with post-quantum security on your free tier.

Start Encrypting

1,000 free units/month · 4 endpoints · <1ms encrypt · NIST Level 3

Verify It Yourself