CipherPlate v3.4.1 — Product
The sidecar service that ZorblaxCorp ships to customers.
What it does
CipherPlate runs as a local sidecar (Docker, Podman, or raw binary) next to your application. Apps send cryptographic operations over a gRPC envelope; CipherPlate signs / verifies / encrypts / decrypts using the algorithm matched to the customer's threat model.
Algorithm matrix
| Algorithm | Use case | Mode | Status |
|---|---|---|---|
| FALCON-1024 | Code signing, software supply chain | post-quantum signature | GA |
| SPHINCS+ SHAKE-256 | Long-term archival signature | post-quantum signature | GA |
| ML-KEM-1024 | Session key exchange | post-quantum KEM | GA |
| Hybrid (X25519 + ML-KEM-1024) | TLS transition | classical + PQ | GA |
| RSA-4096 | Legacy interop only | classical | deprecated 2028-Q4 |
| ECDSA-P521 | Legacy interop only | classical | deprecated 2028-Q4 |
Performance envelope
Measured on Tier-3 reference hardware (8 vCPU, 16 GiB, Linux 6.10, x86_64):
- FALCON-1024 signature: 8.3 ms median, 13.7 ms p99
- ML-KEM-1024 encapsulation: 0.41 ms median, 0.78 ms p99
- SPHINCS+ signature: 192 ms median, 311 ms p99 (acknowledged tradeoff; reserved for archival)
Configuration
CipherPlate reads its policy from /etc/cipherplate/policy.yaml. Mandatory fields: tenant_id, threat_model (one of: commodity, nation_state_passive, nation_state_active), audit_sink.
Facts
- Current GA version: 3.4.1 (released 2027-03-09)
- Default port: 4711 (configurable)
- Binary size: 41 MB stripped, 116 MB with debug symbols
- License: source-available under the ZorblaxCorp Cryptographic Source License (ZCSL) v1.2
- Audit log default destination:
/var/log/cipherplate/audit.jsonl