Skip to content

In Practice

Crux VPN integrates with Arqit's SKA-Platform™ (SKA-P) to deliver quantum-safe preshared keys directly into the WireGuard protocol — enhancing security without requiring any change to WireGuard® itself.

In a typical deployment, two Crux-enabled endpoints — say, Alice and Bob — are both fully authenticated and provisioned with the SKA-P. When Alice wants to initiate a secure connection with Bob, Crux uses SKA to broker a shared symmetric key in the following way:

  1. Shared Secret via Confidential Channel Alice and Bob establish an initial shared secret using a traditional method (e.g. over TLS). This step does not need to be quantum-safe, as it only forms part of the eventual key derivation process.

  2. Alice Requests Intermediate Key from SKA-P Over her quantum-safe session with the SKA-P (established during her authentication), Alice sends a request including:

    • Her own ID (inferred from her auth token)
    • Bob’s ID (provided in the request payload)

    The SKA-P combines this with a root key from its HSM and returns an intermediate key to Alice.

  3. Bob Independently Requests the Same Intermediate Key Bob does the same — sending his ID (from his auth token) and Alice’s ID (explicitly). The platform returns the same intermediate key to Bob.

  4. Final Shared Key Derivation Both Alice and Bob hash the intermediate key together with their initial shared secret, producing the final symmetric key. Crucially, the SKA-P never sees this shared secret, creating a split-trust model where no single entity has enough information to reconstruct the key.

Integration with WireGuard®

Once Alice and Bob derive their final shared key, Crux injects this as the preshared key (PSK) in the WireGuard handshake. This adds an extra layer of security on top of WireGuard’s core Noise protocol — without modifying the underlying implementation.

  • The derived symmetric key is 256-bit, fully compatible with WireGuard’s optional PSK field.
  • Keys can be refreshed as frequently as needed, enabling short-lived, ratcheted sessions.
  • Because the PSK is injected securely at the control plane level, Crux avoids the pitfalls of static PSKs and sidesteps the need for certificate-based key exchange.
sequenceDiagram
    participant Alice as Alice<br/>(Crux VPN User)
    participant Bob as Bob<br/>(Crux VPN User)
    participant SKA as SKA-Platform™
    Alice-->>Bob: Establish shared secret (e.g. over TLS)
    Alice->>SKA: Request intermediate key (includes Alice's ID, Bob's ID)
    Note over Alice,SKA: Quantum-safe session
    activate SKA
    note right of SKA: Derive intermediate key from HSM key + IDs
    SKA->>-SKA: 
    SKA-->>Alice: Return intermediate key
    Bob->>SKA: Request intermediate key<br/>(includes Bob's ID, Alice's ID)
    Note over Bob,SKA: Quantum-safe session
    SKA-->>Bob: Return same intermediate key
    Note over Alice,Bob: Derive final symmetric key:<br/>Hash (intermediate key + shared secret)
    activate Alice
    note left of Alice: Inject symmetric key as PSK into WireGuard
    Alice->>-Alice: 
    activate Bob
    note right of Bob: Inject symmetric key as PSK into WireGuard
    Bob->>-Bob: 
    Note over Alice,Bob: WireGuard handshake proceeds using <br/> PSK-enhanced Noise protocol