Introduction
The Quantum Entropy Appliance (QEA) is a server that comes equipped with Qrypt’s quantum random number generator cards. These cards continuously measure quantum phenomena to generate streams of truly random bytes.
The QEA can be installed on-prem, or in a data center, and it does not require any external network access. It exposes a REST API that can be called by clients in the same network to request arbitrary amounts of true random bytes.
How do we ensure true randomness?
The entropy generated by the QEA is continuously tested using the NIST SP800-22 entropy source validation test suite. If any of the tests fail, then that entropy source is cut off until its output passes tests again.
The appliance also includes an extensive set of hardware health monitors that shut down the entropy source at the card level in the event of any hardware failure or anomaly.
Performance
Due to the high overhead cost of making HTTP requests, the amount of entropy that can be retrieved from the API depends on how much entropy the client asks for with each request. In other words, it’s significantly faster to make 1 request for 512 keys than it is to make 512 requests for 1 key.
Max API throughput:
| 256 bit keys per request | Requests per second |
|---|---|
| 512 | ~7,200 |
| 1 | ~12,000 |
Max Entropy card output: ~1,500 Mb/s
Installation
The QEA comes with Ubuntu Server v22.04 installed. Users will receive login credentials which they can use to perform any necessary admin tasks.
The QEA can be installed on-prem or in a datacenter rack. Once the appliance is connected to the network interface, the user must log in and configure its network interface (see the Ubuntu docs for a detailed guide on how to set up networking on Ubuntu Server).
Interacting with the appliance
The QEA listens for incoming requests on port 80.
The root path (“/”) returns a UI that displays various metrics, and health reports. This UI can also be used to download application log files for troubleshooting purposes.
Client applications can request a configurable amount of entropy from the entropy API, which is served from the “/api/v1/” route. The complete spec for the API can be found below.
Appliance Administration UI
Upon opening the UI, you should see the following landing page:
Each QRNG card installed on the appliance will have its own entry in the table, sorted by card ID.
The current state of the card can be determined by a quick glance at the “Status” column. Possible states are as follows:
| State | Explanation |
|---|---|
| Active | The card is healthy and streaming entropy. |
| Pending | The card is in a temporary calibration state; this will resolve into either Active or Error. |
| Error | The card is reporting an error; the error message can be found in details section. |
Clicking on a card will expand the row and show more detail:
If the card is in an Error state, the number of errors and the error messages will be enumerated at the bottom of the details section.
If the card is Pending , a “Status Message” field will provide more information. This typically only happens on startup while the initial NIST test suite runs – upon success, the card will move into an Active state and begin streaming entropy.
Note that the badge in the “Status” section here is the same as in the card row entry.
At the bottom right of the UI, there is a link to download a compressed bundle of server logs:
Note that this may take up to 30 seconds depending on the size of the logfiles, so do not navigate away from the page while the collection is in progress. Logfile processing is indicated by the presence of an animated spinner.
TLS Configuration
To enable TLS on the appliance, replace the following two files with your own public and private certs, respectively:
- /etc/ssl/certs/public.crt
- /etc/ssl/private/private.key
Then, restart nginx for the new certs to take effect:
- systemctl restart nginx
You can test this new configuration by running:
- nginx -t
Note that these operations must be done as sudo user.
OpenAPI spec
openapi: 3.0.0
info:
title: Entropy API Schema
description: Entropy API Schema
version: 1.0.0
paths:
/api/v1/entropy:
post:
summary: Get entropy
description: Returns blocks of quantum entropy.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
block_size:
type: integer
description: Size of each entropy block in bytes.
format: byte
minimum: 1
maximum: 1024
block_count:
type: integer
description: Number of entropy blocks. Defaults to 1.
default: 1
minimum: 1
maximum: 512
responses:
'200':
description: Entropy successfully generated.
content:
application/json:
schema:
type: object
properties:
entropy:
type: array
items:
type: string
format: byte
description: Base64 encoded byte string representing the generated entropy.
extensions:
type: array
items:
type: object
description: Optional array of JSON objects representing extensions.
example:
entropy: ["dWLmTxePnl5l9bnwb1qAAQ==",
"DnDqtrbysUoRwr9Meko+ug==",
"b//8fWTqpGWOFwbNNcQORQ==",
"9LhJWGYXQjt7x8/V1QBarw=="]
extensions: []
'503':
description: Entropy capability source unavailable.
/api/v1/capabilities:
get:
summary: Retrieve Entropy Capabilities
description: This endpoint retrieves the capabilities of the entropy source.
responses:
'200':
description: Capabilities successfully retrieved.
content:
application/json:
schema:
type: object
properties:
entropy:
type: object
properties:
min_block_size:
type: integer
description: Minimum block size in bytes.
max_block_size:
type: integer
description: Maximum block size in bytes.
min_block_count:
type: integer
description: Minimum block count.
max_block_count:
type: integer
description: Maximum block count.
entropy_types:
type: array
items:
type: string
description: Optional array of strings describing possible entropy source variations
example: ["quantum"]
extensions:
type: array
items:
type: object
description: Optional array of JSON objects representing extensions.
healthtest:
type: object
properties:
test_threshold:
type: array
items:
type: object
properties:
test_type:
type: string
description: Test performed, e.g., nist_90b, dieharder, vendor_test1, etc.
good:
type: number
format: float
description: Test value for good quality entropy range, e.g., 0.95.
warning:
type: number
format: float
description: Test value for low quality entropy range, e.g., 0.90.
error:
type: number
format: float
description: Test value for bad quality entropy range, e.g., 0.85.
extensions:
type: array
items:
type: object
description: Optional array of JSON objects representing extensions.
Server Specs
| Dimensions | 17" x 21.3" x 1.75" |
| Processor | One Intel® Xeon® Processor E-2300 (Rocket Lake) Product Family |
| Supports CPU TDP up to 95W | |
| System Memory | 2 channels DDR4 / 2 DPC UDIMM ECC Up to 3200 MT/s. |
| Total 4 memory slots; up to 128GB | |
| Drive Bays | 3.5" 1 (SATA) |
| 2.5" 2 (1 x shared with 3.5") | |
| M.2 2 x M.2(NGFF)/M-Key/22110 | |
| Expansion Slots | 2 x PCIe Gen4 x8 slots |
| 1 x PCIe Gen3 x8 slot (with x4 link) | |
| On-board Devices | 6x SATA 6G ports (4x in miniSAS HD + 2x 7pin + 2x M.2) |
| Aspeed AST2500 Advanced PCIe Graphics & Remote Management Processor | |
| Baseboard Management Controller | |
| Intelligent Platform Interface 2.0 (IPMI 2.0) | |
| iKVM, Media Redirection, IPMI over LAN, Serial over LAN | |
| Intel® I350 AM4/AM2 co-design to support 2/4 x GbE (SKU option) | |
| Realtek RTL8211EL for BMC dedicated management port | |
| 2D Video Graphic Adapter with PCIe bus interface | |
| Rear I/O | LAN: 3 x GbE RJ45 (2 x shared, 1 x dedicated) |
| USB: 2 x USB 3.0 Type A | |
| Graphic: Mini-display port (enabled with specified CPU) | |
| Serial Port: 1 x COM by 3.5mm audio jack | |
| Power Supply | 300W 1+1 redundant power supply 80+ Gold |
| System Cooling | 3 x 40x56mm hot swap fans |