QRNG Appliance Specifications
PERFORMANCE
The appliance delivers verified security grade quantum entropy at a rate of 300 Mb/s
- Entropy pool: 32 MiB base size. This is the guaranteed minimum the pool will maintain.
- Dynamic scaling: Under load the pool automatically grows (up to a 64 MiB ceiling) to keep latency low for small and medium requests.
- Continuous fresh entropy: New data is constantly appended from the card. The oldest data is trimmed when the buffer exceeds its current size, so clients are almost always served very recent entropy.
- Fast start / restart: A short high-speed burst on service start quickly brings the pool up to target fill.
- Maximum request size: 10 MiB per request (no artificial rate limits).
CRYPTOGRAPHY & SECURITY
- TLS key exchange: Hybrid post-quantum
X25519MLKEM768(PQC first) with cleanX25519fallback. - TLS version: TLS 1.3 only.
- Default certificates: Self-signed ECDSA P-256 (factory default).
- Upgrade path: Full support for real certificates via Let’s Encrypt or your own PKI.
- Firewall: Default-deny nftables. Production mode exposes only port 443.
- Management: Console-only after production lockdown. SSH is permanently removed.
- Compliance: Hardware meets NIST SP 800-90B. Post-quantum key exchange aligned with FIPS 203.
MANAGEMENT & OBSERVABILITY
- Configuration: Interactive
qrng-configconsole tool (all changes are audited). - Status dashboard:
/status— real-time pool fill, dynamic pool size, Dragonfly sysfs health, top clients by IP. - Health endpoint:
/health(JSON, ideal for load balancers and monitoring). - Metrics:
/metrics(Prometheus format). - Logging: Structured JSON logs + dedicated audit log for configuration changes.
- Log rotation: Automatic rotation for server, access, and audit logs.
API & INTEGRATION
The functional entropy endpoint lives under /api/v1/.
GET /api/v1/random
- Query parameter:
bytes=N - Range: 1 byte – 10 MiB
- Rate limiting: None
- Response: Raw binary data
curl -k https://{IP address}/api/v1 random?bytes=1048576 --output entropy.bin
Official Python client and advanced soak/repeatability tester (qrng-test.py) are available for download.
HARDWARE & PLATFORM
- Entropy source: Crypta Labs Dragonfly PCIe QRNG card (NIST SP 800-90B compliant)
- Form factor: 1U rackmount appliance (HP-style firewall hardware)
- Network: 4 x 2.5 Gigabit Ethernet ports
- Operating system: Alpine Linux (hardened, minimal attack surface)
- Entropy pool: Software buffer fed continuously by the card via DMA
ARCHITECTURE
- HTTPS service terminates TLS and reverse-proxies to a lightweight FastAPI backend running locally.
- The backend maintains an in-memory entropy pool that is continuously topped up from the Dragonfly card.
- The pool is designed to deliver the freshest possible entropy while keeping latency low under varying load.
- All administration after initial factory setup is performed via the physical console using the console app tool.
TESTING & VALIDATION
- Built-in advanced soak & repeatability tester
- Full Dragonfly sysfs health data exposed on the status page
- Structured logging for audit trails and debugging
- Designed for extended burn-in and statistical validation
- Top clients by IP and Prometheus counters for usage monitoring
DEPLOYMENT NOTES
- Ships with self-signed ECDSA P-256 certificates (factory mode)
- Full tooling available to switch to real certificates (Let’s Encrypt or customer PKI)
- Console-only management after production lockdown
- Prometheus + health endpoints ready for monitoring and orchestration
- Advanced soak tester included for validation and burn-in
