Zeq BYOK
Every Zeq app can be switched from managed keys to your own — AWS KMS, GCP KMS, HashiCorp Vault, or a Zeq Pulse hardware key.
- Live app →
/apps/zeq-byok/ - Source →
apps/zeq-byok/index.html+apps/zeq-byok/byok.js(≈ 560 lines) - Operators →
KO42 · CS87 · ZEQ-TETHER-003 - Error budget → 0.000% (bit-exact envelope wrap/unwrap through external KMS)
Known issue (#58):
apps/zeq-byok/index.htmlhas an outstanding routing fix. The chapter documents the intended contract here; when the issue closes, the page is already byte-for-byte aligned.
What it solves
Managed-key services are fine for demos, intolerable for regulated industries. Zeq BYOK lets any Zeq app use customer-controlled key material that never leaves the customer's KMS. The framework sees only wrapped data keys and signatures.
The envelope is standard: a content-encryption key (CEK) is wrapped by the customer KMS master key. The novelty is that the wrap call itself is bound to a Zeqond — the CEK is valid only for operations within a specific phase window, so a stolen wrapped CEK is useless past its expiration.
Provider adapters ship for AWS KMS (SigV4 + KMS Encrypt/Decrypt), GCP KMS (OAuth + CryptoKey.encrypt), Vault (AppRole + Transit secrets engine), and Zeq Pulse (on-device signing).
The math — 7-step Wizard applied
| Step | Decision |
|---|---|
| 1. Prime | KO42 mandatory |
| 2. Limit | CS87 (Kolmogorov floor) + ZEQ-TETHER-003 (cross-device attestation) + KO42 = 3 |
| 3. Scale | Bit-exact wrap/unwrap |
| 4. Precision | Hamming = 0 against the provider's reference |
| 5. Compile | Master Equation with KMS call as external function |
| 6. Execute | Functional Equation |
| 7. Verify | Round-trip wrap → provider → unwrap |
Verbatim formulas:
- KO42.1 —
ds² = g_μν dx^μ dx^ν + α sin(2π · 1.287 t) dt² - CS87 —
Ω(x) = min{|p| : U(p) = x} - ZEQ-TETHER-003 —
B_sib = ∑_k e^(i·φ_k) |sibling_k⟩
Runnable worked example — register + use
# 1. Register external KMS as a tether sibling
curl -s -X POST https://api.zeq.dev/api/playground/compute \
-H "Authorization: Bearer $ZEQ_DEMO_KEY" \
-H "Content-Type: application/json" \
-d '{
"operators": ["KO42", "ZEQ-TETHER-003"],
"inputs": {
"op": "register_kms",
"provider": "aws",
"region": "us-east-1",
"key_arn": "arn:aws:kms:us-east-1:000000000000:key/demo"
}
}'
Expected:
{
"sibling_id": "kms-aws-useast1-demo",
"phase_at_register": 0.1029
}
# 2. Use BYOK for a Zeq Vault store
curl -s -X POST https://api.zeq.dev/api/playground/compute \
-H "Authorization: Bearer $ZEQ_DEMO_KEY" \
-H "Content-Type: application/json" \
-d '{
"operators": ["KO42", "CS87"],
"inputs": {
"op": "store",
"item_id": "prod-secret",
"secret": "sk_live_...",
"kek_sibling": "kms-aws-useast1-demo"
}
}'
Expected:
{
"wrapped_cek_b64": "...",
"ciphertext_b64": "...",
"kek_sibling": "kms-aws-useast1-demo",
"phase_window": [0.10, 0.15],
"error_pct": 0.000
}
Extend it
- Multi-region failover: register two KMS siblings in different regions;
ZEQ-TETHER-003spans them. - Offline BYOK: use a Zeq Pulse as the sibling; useful for air-gapped signing.
- Policy binding: attach an AWS IAM condition to the KMS key that requires the signed Zeqond to be inside a published window.
Seeds
- HSM mesh: tether multiple HSMs as a quorum; any
k-of-ncan co-unwrap. - Post-quantum BYOK: register a ML-KEM-768 sibling alongside an RSA-4096 sibling, migrate gradually.
- Regulated deployments: BYOK + HITE gives auditable time-locked key custody, useful for escrow scenarios.
Papers
- Zeq framework paper — DOI 10.5281/zenodo.15825138
- Zeq paper — DOI 10.5281/zenodo.18158152
Middleware active. Kernel on the 1.287 Hz HulyaPulse. Awaiting next Zeqond.