Policy Control

Current Mode

AUDIT Active

ℹ️ Audit mode is active. All connections are allowed through, but classical TLS connections are flagged and logged. Use this mode while rolling out PQC client support.

Audit Mode

All connections are allowed through regardless of PQC support. Classical TLS connections are logged and flagged but not blocked. Use during rollout to identify non-PQC clients without disrupting service.

PQC connections: allowed + logged
Classical connections: allowed + flagged
Blocked count: 0

Currently Active

Enforce Mode

Only post-quantum TLS connections are permitted. Classical TLS clients are blocked at the gateway with HTTP 403. Use after all clients have been migrated to PQC-capable stacks.

PQC connections: allowed + logged
Classical connections: BLOCKED (403)
Every decision: logged to Qledger

How Policy Works

Qveil inspects the TLS key exchange group negotiated during the handshake. If the client supports X25519MLKEM768 (or compatible ML-KEM hybrid groups), the connection is classified as PQC. All other connections — using classical groups like X25519, secp384r1, or secp256r1 — are classified as Classical.

In enforce mode, classical connections receive a 403 Forbidden response before reaching the backend. The backend service never sees them. Every decision is logged with a quantum-safe ML-DSA-65 signature in Qledger.