I can’t believe that no one is posting on new hardware/firmware/software developments in regards to quantum cryptography. It took me a while to comprehend the context of the article, but basically, it states that using the Librem PQC Encryptor for encrypted communication, like using the P2P or walkie talkie type of technology found in Librem 5’s/Liberty’s hardware/firmware/software. You’re going to need at least two compatible devices. Probably same brand for both sender and recipient. Of course, if quantum encryption technology is compatible with Purism products (listing Librem PQC Encryptor, Librem Server, Librem Mini, Librem 14, Librem 11, Librem Liberty, Librem 5, and Librem 5 Refurnished) or any other Linux/BSD OS variants (including those with GNU/Linux and GNU/Linux-libre kernels), that would be great news.
I would like to see a test run of these devices in terms of capability. We can see the performance done with Librem 5 on URL address Quantum Safe Communication with Purism – Purism. That said, the countermeasure against quantum decryption seems to focus on data mining on a ISP level, but I could be wrong. According to the article, it seems that quantum decryption can be done by man-in-the-middle and evil maid cyber-attacks.
I doubt that PGP/OpenPGP/GNUPGP alone could help circumvent quantum MITM+decryption, but that's where the quantum technologies come in as a quantum version of SSL CA/certificate and HTTPS:// protocol.
As for evil maid cyber-attacks, the risk takes on a greater scale due to exposure. If hardware can be replaced, quantum decryption may not be required to hack into the OS inactive state or user accounts. I tried 2FA/MFA encryption on a OS partition/volume, but failed to get the registry working on the 2FA/MFA prompt. The software was in alpha version anyways. Reference material: https://forums.puri.sm/t/software-question-mfa-encryption-of-external-internal-storage-media-device-s/28280/3
Back on quantum-based data mining and decryption, I think that any password/LUKS encryption will be eventually hacked, given the the knowledge and use of the authentication software. It’s probably better if the quantum encrypted data is stored in a container, which would self-terminate or delete the contained data upon repeated authentication failure. Of course, a data container is in essence, a possible trojan horse malware scenario. It’s best if there is a way to prevent data mining in the first place, but that is a far-fetched plan.
Quantum technology doesn’t have to stay in the role of decryption. Its potential is vast. One day, there might be quantum-based cracking, fork bombs (DoS variant), trojans, rootkits, computer worms, bots, spam, spoofing, DDoS, etc. I dare say that quantum-based doxxing and unauthorized MAV/SUAV surveillance (authorized MAV/SUAV security cameras/alarms might be the exception) might be even possible. I almost forgot to mention GNUBoot as a free firmware possibility in case that should PureBoot run into a brick wall. Quantum cyber-security may have future conflicts with quantum cyber-attacks/crimes.
Why would Purism work with government agencies on quantum encryption issues, as the arricle says? I can see governments saying things such as “Good catch Purism, we would have never thought of that. Of course, now we’re going to have to pass a law that when you implement this fearure, that government agencies are given back door access to this specific lockout. You don’t actually expect to lock us out too, do you?”.
Wouldn’t it just be better to put quantum lockouts deep in to the source code and not to be very specific about where in the code they are, and how they work? I can see that it would be advantageous for Purism’s bottom line financially, to work with various governments and if they do well enough, Purism might earn some lucerative government contracts. But who does Purism really work for? What are Purism’s loyalties? Aren’t they better to work at arm’s length with governments and to to keep the advantage well seated in the opensource community?
I can see the government cryptography people calling Purism and the calls going something like this: call 1: “… oh, you’re a cryptographer with the Department of Homeland Security. That’s outside of my area of expertise. Let me put you right through to someone who can help you.” Call 2: “… oh, all you get is a voice mail when you call our cryptographer. Have you tried leaving a message? … you have, several times. I’ll try to reach him myself for you. Oh, you know, he will be out on vacation until next April. But we’ll have him call you when he returns.” Call 10: “yes, yes we did get the subpoena and the gag order”. WARRANT CANARY.
On terms of quantum decryption, it is most likely for foreign policies. However, if there are severe domestic issues, then the judicial branch may benefit from either quantum encryption/decryption. Then again, the article mentions corporations that may threaten software freedom and privacy.
It would not be fair to point out the government as the main culprit behind the scenes, pulling the strings. However, political tumults are made by usurpers and tyrants that self-justify their means.
Let us remember that quantum technology is a tool, guided by the hand, led by the mind. I get that Purism might be in cahoots with government entities, but by which degree of endangerment/trespassing/self-victimization? The actor could been an individual, group, or the entire corporation. Then we would have to determine intent and motive, as well as imminent lawless action, imminent peril, culpability, and recklessness. Once again, the goals of Purism is to uphold the constitutionality of software freedom. Should there be a violation against the constitution and the freedoms it stands for, we would know it’s going to be a scenario like Magna Carter, divine right, and unrest.
I don’t think that Purism should be anti-government if the constitutionality of its rule is still respected. It’s not like it should outright judge and penalize without impartiality and deliberation. Instead it should understand and act with its given/shared social rights as liberties. That said, THERE ARE SOME GOVERNMENT ACTIONS WITH PURISM.
As you can see from the warrant canary page, there are quarterly reports. Even then, we wouldn’t really know about any subpoenas. It is somewhat futile to consider a divide between entities. One thing is for certain, the golden rule would apply.
Let’s say that you are talking about the US government. I can easily imagine that the US government balances two competing priorities … the cost to the government of not being able to store-and-future-decrypt traffic sent between these appliances v. the cost to the government of foreign governments being able to store-and-future-decrypt non-government traffic sent using conventional future-vulnerable encryption.
I can easily further imagine the the US government would judge right now that the balance is in favour of letting Purism go for it, perhaps provided that there are export controls (yes, we’ve been down this road before).
As the whole “future decrypt” thing is quite some way off (based on publicly available info anyway), I don’t see that most three letter agencies are really disadvantaged by these appliances today i.e. today without the target using these appliances, they can’t snoop and today with the target using these appliances, they can’t snoop.
Make a guess as to how many years before a QC can actually break conventional encryption and then ask how relevant the information will be that many years down the track. Yes, there are times when the information still has value (e.g. national security contexts) - but there are times when the information no longer has value.
As a simple example of the information no longer having value … any password transmitted in plain text on a conventionally-encrypted channel that is in future a decrypted channel is a vulnerable password. If that password is exposed 5 years from now but local security policy requires every user to use a new system-generated random password each year then the exposed password has almost no value.
On the other hand, of course, if the password was never changed in those 5 years then the account is now pwned!
How much weight should be put in to the fact that most of us are just average people. I don’t like the being spied on. But if someone spends any effort in to hacking me, there’s not much there to get. I don’t work for the government or have any major secrets. As long as they can’t get in to my bank accounts, no big losses. So the point is, how hard are they going to work to hack me?
As an aside, remember that no amount of traffic encryption is worth much if your endpoint is not secure. Hacking the endpoint is at least as desirable as snooping the traffic and then decrypting it, probably more so. I would imagine that the average forum participant here takes more care over endpoint security than the average person and it likewise occupies Purism’s thinking more than the average IT supplier.
If getting into your bank accounts would mean a big loss for you then I guarantee you that there are many parties around the world who would be interesting in hacking you. Maybe not your government. They can just freeze and/or drain your bank accounts anyway. Maybe not any other government. They have no obvious need for your money. Well except North Korea. 
It is worth contemplating how some kind of scam social engineering attack would be enhanced if the attacker were able to read all your communications beforehand. But today your garden variety scammers aren’t armed with a Mbit QC.
Obviously, everyone is vulnerable to and wants to protect against, bank account hacks. But other than that, the average person has little to lose, if hacked. So if your bank accounts are safe, you’re good. What else do people want to get from us and that google hasn’t already taken from us?
That depends what Google has already taken from you. I work hard to limit that. Some work harder still. Many in the wider public don’t care at all.
Noting though
It is worth contemplating how some kind of scam social engineering attack would be enhanced if the attacker were able to read all your communications beforehand.
You have to ask then … is everything that Google has taken available for sale at an economically viable price?
Maybe not everything is for sale. Maybe it is available for sale but at a price that would make the scam uneconomic.
I have the feeling though that the target market for the Librem PQC Encryptor is corporate and government, not the likes of you and me - and those players have bigger considerations than just whether their genitals are doing the rounds of the internet, metaphorically speaking.
How much would a unit retail for on the base model? My friend’s team does not currently have a domian for their email, but is interested in the PQC Encryptor
Contact Purism.
You will unfortunately, as @FranklyFlawless says, have to contact Purism to ask. I think you will need to buy (at least) 2 units as well and an Admin Server.
I personally don’t like pricing like that (i.e. contact for price) but I have exactly zero chance of having a 10 Gbit/sec internet connection anyway - and no second site that I would want to communicate with. (Where I work would be a more realistic use case i.e. multiple sites around the country, tunneling internal traffic over network links that we don’t control, encrypted of course, but potentially store-now-break-later. However even those links are well short of 10 Gbit/sec.)