Throughout Safety Week 2025, we launched the trade’s first cloud-native post-quantum Safe Internet Gateway (SWG) and Zero Belief resolution, a significant step in direction of securing enterprise community visitors despatched from finish consumer units to private and non-private networks.
However that is solely a part of the equation. To really safe the way forward for enterprise networking, you want an entire Safe Entry Service Edge (SASE).
At the moment, we full the equation: Cloudflare One is the primary SASE platform to help trendy standards-compliant post-quantum (PQ) encryption in our Safe Internet Gateway, and throughout Zero Belief and Broad Space Community (WAN) use circumstances. Extra particularly, Cloudflare One now provides post-quantum hybrid ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) throughout all main on-ramps and off-ramps.
To finish the equation, we added help for post-quantum encryption to our Cloudflare IPsec (our cloud-native WAN-as-a-Service) and Cloudflare One Equipment (our bodily or digital WAN equipment that set up Cloudflare IPsec connections). Cloudflare IPsec makes use of the IPsec protocol to determine encrypted tunnels from a buyer’s community to Cloudflare’s international community, whereas IP Anycast is used to routinely route that tunnel to the closest Cloudflare information heart. Cloudflare IPsec simplifies configuration and supplies excessive availability; if a particular information heart turns into unavailable, visitors is routinely rerouted to the closest wholesome information heart. Cloudflare IPsec runs on the scale of our international community, and helps site-to-site throughout a WAN in addition to outbound connections to the Web.
The Cloudflare One Equipment improve is mostly out there as of equipment model 2026.2.0. The Cloudflare IPsec improve is in closed beta, and you may request entry by including your title to our closed beta listing.
Submit-quantum cryptography issues now
Quantum threats should not a “next decade” downside. Right here is why our clients are prioritizing post-quantum cryptography (PQC) right now:
The deadline is approaching. On the finish of 2024, the Nationwide Institute of Requirements and Expertise (NIST) despatched a clear sign (that has been echoed by different businesses): the period of classical public-key cryptography is coming to an finish. NIST set a 2030 deadline for depreciating RSA and Elliptic Curve Cryptography (ECC) and transitioning to PQC that can not be damaged by highly effective quantum computer systems. Organizations that have not begun their migration danger being out of compliance and weak because the deadline nears.
Upgrades have traditionally been difficult. Whereas 2030 may appear distant, upgrading cryptographic algorithms is notoriously tough. Historical past has proven us that depreciating cryptography can take many years: we discovered examples of MD5 inflicting issues 20 years after it was deprecated. This lack of crypto agility — the flexibility to simply swap out cryptographic algorithms — is a significant bottleneck. By integrating PQ encryption instantly into Cloudflare One, our SASE platform, we offer built-in crypto agility, simplifying how organizations supply distant entry and site-to-site connectivity.
Information might already be in danger. Lastly, “Harvest Now, Decrypt Later” is a gift and chronic risk, the place attackers harvest delicate community visitors right now after which retailer it till quantum computer systems grow to be highly effective sufficient to decrypt it. In case your information has a shelf lifetime of various years (e.g. monetary info, well being information, state secrets and techniques) it’s already in danger until it’s protected by PQ encryption.
The 2 migrations on the highway to quantum security: key settlement and digital signatures
Transitioning community visitors to post-quantum cryptography (PQC) requires an overhaul of two cryptographic primitives: key settlement and digital signatures.
Migration 1: Key institution. Key settlement permits two events to determine a shared secret over an insecure channel; the shared secret is then used to encrypt community visitors, leading to post-quantum encryption. The trade has largely converged on ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) as the usual PQ key settlement protocol.
ML-KEM has been broadly adopted to be used in TLS, normally deployed alongside classical Elliptic Curve Diffie Hellman (ECDHE), the place the important thing used to encrypt community visitors is derived by mixing the outputs of the ML-KEM and ECDHE key agreements. (That is also called “hybrid ML-KEM”). Effectively over 60% of human-generated TLS visitors to Cloudflare’s community is at the moment protected with hybrid ML-KEM. The transition to hybrid ML-KEM has been profitable as a result of it:
As a result of ML-KEM runs in parallel with classical ECDHE, there isn’t a discount in safety and compliance as in comparison with the classical ECDHE strategy.
Migration 2: Digital signatures. In the meantime, digital signatures and certificates shield authenticity, stopping lively adversaries from impersonating the server to the shopper. Sadly, PQ signatures are at the moment bigger in measurement than classical ECC algorithms, which has slowed their adoption. Happily, the migration to PQ signatures is much less pressing, as a result of PQ signatures are designed to cease lively adversaries armed with highly effective quantum computer systems, which aren’t identified to exist but. Thus, whereas Cloudflare is actively contributing to the standardization and rollout of PQ digital signatures, the present Cloudflare IPsec improve focuses on upgrading key institution to hybrid ML-KEM.
The U.S. Cybersecurity & Infrastructure Safety Company (CISA) acknowledged the character of those two migrations in its January 2026 publication, “Product Categories for Technologies That Use Post-Quantum Cryptography Standards.”
Breaking new floor with IPsec
To realize a SASE absolutely protected with post-quantum encryption, we’ve upgraded our Cloudflare IPsec merchandise to help hybrid ML-KEM within the IPsec protocol.
The IPsec neighborhood’s journey towards post-quantum cryptography has been very completely different from that of TLS. TLS is the de facto normal for encrypting public Web visitors at Layer 4 — e.g. from a browser to a content material supply community (CDN) — so safety and vendor interoperability are on the forefront of its design. In the meantime, IPsec is a Layer 3 protocol that generally connects units constructed by the identical vendor (e.g. two routers), so interoperability has traditionally been much less of a priority. With this in thoughts, let’s check out IPsec’s journey into the quantum future.
Pre-Shared Keys? Quantum key distribution?
RFC 8784, revealed in Could 2020, was meant to be the post-quantum replace to IPsec Web Key Alternate v2 (IKEv2), which is used to determine the symmetric keys used to encrypt IPsec community visitors. RFC 8784 implies the usage of both long-lived pre-shared keys (PSK) or quantum key distribution (QKD). Neither of those approaches are very palatable.
RFC 8784 proposes mixing a PSK with a key derived from Diffie Hellman Alternate (DHE), primarily operating PSK in hybrid with DHE. This strategy protects towards harvest-now-decrypt-later attackers, however doesn’t supply ahead secrecy towards quantum adversaries.
Ahead secrecy is a typical desideratum of key settlement protocols. It ensures {that a} system is safe even when the long-lived secret’s leaked. The PSK strategy in RFC 8784 is weak to an harvest-now-decrypt-later adversary that additionally obtains a replica of a long-lived PSK, and may then decrypt visitors sooner or later (by breaking the DHE key settlement) as soon as highly effective quantum computer systems grow to be out there.
To resolve this ahead secrecy problem, RFC 8784 can as an alternative be used to combine the important thing from the classical DHE with a freshly generated key derived from a QKD protocol.
QKD makes use of quantum mechanics to determine a shared, secret cryptographic key between two events. Importantly, for QKD to work, the events will need to have specialised {hardware} or be linked by a devoted bodily connection. This can be a important limitation, rendering QKD ineffective for frequent Web use circumstances like connecting a laptop computer to a distant server over Wi-Fi. These limitations are additionally why we by no means invested in deploying QKD for Cloudflare IPsec. The U.S. Nationwide Safety Company (NSA), Germany’s BSI and the UK Nationwide Cyber Safety Centre have additionally warned towards relying solely on QKD.
However what about interoperability?
RFC 9370 landed in Could 2023, specifying the usage of hybrid key settlement relatively than PSK or QKD. However in contrast to TLS, which solely helps utilizing post-quantum ML-KEM in parallel with classical DHE, this IPsec normal permits utilizing as much as seven completely different key agreements to run on the similar time in parallel with classical Diffie Helman. Furthermore, it does not specify particulars about what these key agreements must be, leaving it as much as the distributors to decide on their algorithms and implementations. Palo Alto Networks, for instance, took this severely and constructed help for over seven completely different PQC ciphersuites into its subsequent technology firewall (NGFW), most of which don’t interoperate with different distributors and a few of which haven’t but been standardized by NIST.
Through the years, TLS has gone in the wrong way, lowering the variety of registered ciphersuites from tons of in TLS 1.2, right down to round 5 in TLS 1.3. This philosophy of lowering “ciphersuite bloat” can also be in keeping with NIST’s SP 800 52 from 2019. The rationale for lowering “ciphersuite bloat” consists of:
Improved interoperability throughout distributors and areas
Decrease danger of assaults that exploit downgrades to weak ciphersuites
Decrease danger of safety issues resulting from misconfiguration
Decrease danger of implementation flaws by lowering the dimensions of the codebase
This is the reason we didn’t initially construct help for RFC 9370.
Requirements which might be lastly heading in the right direction
It’s additionally why we had been excited when the IPsec neighborhood put forth draft-ietf-ipsecme-ikev2-mlkem. This Web-Draft standardizes PQ change for IPsec in the identical method PQ key change has been broadly deployed for TLS: hybrid ML-KEM. The brand new draft fills within the gaps in RFC 9370, by specifying run the ML-KEM as the extra key change in parallel with classical Diffie Hellman in IKEv2.
Now that this specification is accessible, we’ve moved ahead with supporting post-quantum IPsec in our Cloudflare IPsec merchandise.
Cloudflare IPsec goes post-quantum
Cloudflare IPsec is a WAN Community-as-a-Service resolution that replaces legacy non-public community architectures by connecting information facilities, department workplaces, and cloud VPCs to Cloudflare’s international IP Anycast community.
With Cloudflare IPsec, Cloudflare’s community acts because the IKEv2 Responder, awaiting connection requests from an IPsec initiator, which is a department connector gadget within the buyer’s community. Cloudflare IPsec helps IPsec periods initiated by department connectors that embody our personal Cloudflare One Equipment, together with department connectors from a various set of distributors, together with Cisco, Juniper, Palo Alto Networks, Fortinet, Aruba and others.
We’ve applied manufacturing hybrid ML-KEM help within the Cloudflare IPsec IKEv2 Responder, as laid out in draft-ietf-ipsecme-ikev2-mlkem. The draft requires a primary key change to run utilizing a classical Diffie Helman key change. The derived secret’s used to encrypt a second key change that’s run utilizing ML-KEM. Lastly, the keys derived by the 2 exchanges are blended and the result’s used to safe the information aircraft visitors in IPsec ESP (Encapsulating Safety Payload) mode. ESP mode makes use of symmetric cryptography and is thus already quantum protected with none extra upgrades. We’ve examined our implementation towards the IPsec Initiator within the strongswan reference implementation.
You possibly can see the ciphersuite used within the IKEv2 negotiation by viewing the Cloudflare IPsec logs.
We selected to implement hybrid ML-KEM relatively than “pure” ML-KEM, i.e. solely ML-KEM with out DHE operating in parallel, for 2 causes. First, we’ve used hybrid ML-KEM throughout all of our different Cloudflare merchandise, since that is the strategy adopted throughout the TLS neighborhood. And second, it supplies a “belt-and-suspenders” safety: ML-KEM supplies safety towards quantum harvest-now-decrypt-later assaults, whereas DHE supplies a tried-and-true algorithm towards non-quantum adversaries.
An invite for interoperability
The complete worth of this implementation might be realized solely through interoperability. For that reason, we’re inviting different distributors which might be constructing out help for IPsec Initiators of their department connectors per draft-ietf-ipsecme-ikev2-mlkem to check towards our Cloudflare IPsec implementation. Cloudflare clients trying to take a look at out interoperability with third-party department connectors whereas we’re in closed beta can join right here. We plan to GA and construct out interoperability with different distributors as extra start to return on-line with help for draft-ietf-ipsecme-ikev2-mlkem.
Quantum-safe {hardware}: the Cloudflare One Equipment
Lots of our clients buy their department connector ({hardware} or virtualized) from Cloudflare, relatively than a third-party vendor. That’s why the Cloudflare One Equipment — our plug-and-play equipment that connects your native community to Cloudflare One — has additionally been upgraded with post-quantum encryption.
Cloudflare One Equipment doesn’t use IKEv2 for key settlement or session institution, opting as an alternative to depend on TLS. The equipment periodically initiates a TLS handshake with the Cloudflare edge, shares a symmetric secret over the ensuing TLS connection, then injects that symmetric secret into the ESP layer of IPsec, which then encrypts and authenticates the IPsec information aircraft visitors. This design allowed us to keep away from constructing out IKEv2 Initiator logic, and makes the Connector simpler to keep up utilizing our present TLS libraries.
Thus, upgrading Cloudflare One Equipment to PQ encryption was only a matter of upgrading TLS 1.2 to TLS 1.3 with hybrid ML-KEM — one thing we’ve finished many instances on completely different merchandise at Cloudflare.
How do I flip this on? And what does it value?
As all the time, this improve to Cloudflare IPsec comes at no additional value to our clients. As a result of we imagine {that a} safe and personal Web must be accessible to all, we’re on a mission to incorporate PQC in all our merchandise, with out specialised {hardware}, at no additional value to our clients and finish customers.
Clients utilizing the Cloudflare One Equipment obtained this improve to PQC in model 2026.2.0 (launched 2026-02-11). The improve is pushed routinely (with no buyer motion required) in response to every equipment’s configured interrupt window.
For purchasers utilizing Cloudflare IPsec with one other vendor’s department connector equipment, we shall be interoperating with these as soon as extra help for draft-ietf-ipsecme-ikev2-mlkem comes on-line. You may as well contact us on to get entry to closed beta and request that we interoperate with a particular vendor’s department connector.
The complete image: post-quantum SASE
The worth proposition for a post-quantum SASE is evident: organizations can get hold of instant end-to-end safety for his or her non-public community visitors by sending it over tunnels protected by hybrid ML-KEM. This protects visitors from harvest-now-decrypt-later assaults, even when the person functions within the company community should not but upgraded to PQC.
The diagram above exhibits how post-quantum hybrid ML-KEM is obtainable in numerous Cloudflare One community configurations. It consists of the next on-ramps:
and the next off-ramps:
The diagram beneath highlights a pattern community configuration that makes use of the Cloudflare One Shopper on-ramp to attach a tool to a server behind a Cloudflare One Equipment offramp. The top consumer’s gadget connects to the Cloudflare community (hyperlink 1) utilizing MASQUE with hybrid ML-KEM. The visitors then travels throughout Cloudflare’s international community over TLS 1.3 with hybrid ML-KEM (hyperlink 2). Site visitors then leaves the Cloudflare community over a post-quantum Cloudflare IPsec hyperlink (hyperlink 3) that’s terminated at a Cloudflare One Equipment equipment. Lastly it connects to a server contained in the buyer’s atmosphere. Site visitors is protected by post-quantum cryptography because it travels over the general public Web, even when the server itself doesn’t help post-quantum cryptography.
Lastly, we observe that visitors that on-ramps to Cloudflare One after which egresses to the general public Web will also be protected by our post-quantum Cloudflare Gateway, our Safe Internet Gateway (SWG). Right here’s a diagram exhibiting how the SWG works:
As mentioned in an earlier weblog publish, our SWG can already help hybrid ML-KEM on visitors from SWG to the origin server (so long as the origin helps hybrid ML-KEM), and on visitors from the shopper to the SWG (if the shopper helps hybrid ML-KEM, which is the case for many trendy browsers). Importantly, any visitors that onramps to the SWG through a tool that has Cloudflare One Shopper put in continues to be protected with hybrid ML-KEM — even when the online browser itself doesn’t but help post-quantum cryptography. That is because of the post-quantum MASQUE tunnel that the Cloudflare One Shopper establishes to Cloudflare’s international community. The identical is true of visitors that onramps to the SWG through a post-quantum Cloudflare IPsec tunnel.
Placing all of it collectively, Cloudflare One now provides post-quantum encryption on our TLS, MASQUE and IPsec on-ramp and off-ramps, and for personal community visitors, and to visitors that egresses to the general public Web through our SWG.
The longer term is quantum-safe
By finishing the post-quantum SASE equation with Cloudflare IPsec and the Cloudflare One Equipment, we’ve prolonged post-quantum encryption throughout all our main on-ramps and off-ramps. We’ve got deliberately chosen the trail of interoperability and ease — the hybrid ML-KEM strategy that the IETF and NIST have championed, relatively than locking our clients into proprietary implementations, “ciphersuite bloat,” or pointless {hardware} upgrades.
That is the promise of Cloudflare One: a SASE platform that’s not solely quicker and extra dependable than the legacy architectures it replaces, however one that gives post-quantum encryption. Whether or not you’re securing a distant employee’s browser or a multi-gigabit information heart hyperlink, now you can accomplish that with the arrogance that your information is protected against harvest-now-decrypt-later assaults and different future-looking threats.
Join right here to get a full demo of our post-quantum capabilities throughout the Cloudflare One SASE platform, or register right here to get on the listing for the Cloudflare IPsec closed beta. We’re proud to steer the trade into this new period of cryptography, and we invite you to affix us in constructing a scalable, standards-compliant, and post-quantum Web.
