Drive Guard: Post-Quantum Full-Disk Encryption for Windows, macOS and Linux
Drive Guard protects BitLocker, FileVault and LUKS with ML-KEM-768. Keys re-wrapped in PQ, without replacing existing hardware.
Full-disk encryption (FDE) is one of the most fundamental defenses against data loss and theft. BitLocker (Windows), FileVault (macOS) and LUKS (Linux) are industry standards — but all rely on RSA or elliptic curves to protect master keys.
PosQuantum's Drive Guard adds a post-quantum layer on top of these existing technologies. It doesn't replace BitLocker or FileVault — it complements them by encapsulating critical keys in ML-KEM-768 (Kyber768+X25519).
On Windows, Drive Guard intercepts the BitLocker PIN and recovery password and encapsulates them in Kyber768+X25519. Requires TPM 2.0. On macOS, it generates personal and institutional recovery keys and uses the Secure Enclave to store the PQ private key. On Linux, it uses LUKS2 tokens to associate PQ key-slots, with software TPM fallback.
The architecture is simple: the normal boot process continues to work, but each key slot now has a PQ-safe copy. If tomorrow a quantum computer can derive the RSA key from the TPM, the PQ copy remains secure.
Drive Guard is the complement to Firmware Shield: while Firmware Shield protects boot, Drive Guard protects data. Both use the same PQSL library, ensuring cryptographic consistency across the entire stack.