KMS & PQC Key Management

Master PQC key management patterns: envelope encryption with ML-KEM, hybrid key wrapping, and cross-provider KMS strategies.

Post-quantum cryptography fundamentally changes how organizations manage keys. establishes that is a Key Encapsulation Mechanism only — it cannot sign. Similarly, is for signatures only — it cannot encapsulate. This strict algorithm separation replaces the dual-use nature of , which could both encrypt and sign.

“A KEM can only establish a shared secret, not directly encrypt arbitrary data. Applications that relied on RSA PKCS#1 v1.5 or RSA-OAEP for direct encryption must adopt an envelope encryption pattern when migrating to ML-KEM.”

— NIST SP 800-227, Recommendations for Key-Encapsulation Mechanisms

Classical: RSA Dual-Use

• RSA-OAEP: direct encryption of data/keys
• RSA-PSS: digital signatures
• One key pair serves both purposes
• Simple key inventory: 1 key pair per entity

PQC: Strict Separation

• ML-KEM: key encapsulation only (KEM)
• ML-DSA: digital signatures only
• Two key pairs per entity minimum
• Key inventory doubles during transition

Key Size Comparison

Algorithm	Public Key	Private Key	Sig / CT	Security
RSA-2048	256 B	1,192 B	256 B	Level 1 (classical)
RSA-3072	384 B	1,766 B	384 B	Level 1 (classical)
ECDSA P-256	65 B	32 B	64 B	Level 1 (classical)

ML-KEM-512	800 B	1,632 B	768 B	NIST Level 1
ML-KEM-768	1,184 B	2,400 B	1,088 B	NIST Level 3
ML-KEM-1024	1,568 B	3,168 B	1,568 B	NIST Level 5
ML-DSA-44	1,312 B	2,560 B	2,420 B	NIST Level 2
ML-DSA-65	1,952 B	4,032 B	3,309 B	NIST Level 3
ML-DSA-87	2,592 B	4,896 B	4,627 B	NIST Level 5

PQC keys are significantly larger than classical equivalents — 4–10× vs RSA baselines, and up to 40× vs ECDSA P-256 — impacting HSM storage, certificate sizes, and network bandwidth during key distribution.