Post-quantum encryption for Cloudflare IPsec is generally available
Cloudflare has made post-quantum encryption generally available for its IPsec service to protect against future quantum computing threats. The implementation uses the hybrid ML-KEM (FIPS 203) standard and is interoperable with hardware from vendors like Cisco and Fortinet. This advancement helps secure site-to-site networking against harvest-now-decrypt-later attacks as the industry moves toward standardized, scalable post-quantum cryptography.
- ▪Cloudflare has accelerated its target for full post-quantum security to 2029 due to advances in quantum computing.
- ▪Post-quantum encryption in Cloudflare IPsec uses hybrid ML-KEM (FIPS 203) as defined in draft-ietf-ipsecme-ikev2-mlkem.
- ▪The solution is interoperable with Cisco 8000 Series Secure Routers (version 26.1.1+) and Fortinet FortiOS 7.6.6+.
- ▪Hybrid ML-KEM combines classical Diffie-Hellman with post-quantum key exchange to secure IPsec tunnels.
- ▪Cloudflare IPsec connects data centers, branch offices, and cloud VPCs via encrypted tunnels on Cloudflare's global Anycast network.
Opening excerpt (first ~120 words) tap to expand
Post-quantum encryption for Cloudflare IPsec is generally available2026-04-30Sharon GoldbergAmos Paul4 min readWhile more than two-thirds of human-generated TLS traffic to Cloudflare is already protected by post-quantum cryptography, the world of site-to-site networking has been a different story. For years, the IPsec community remained caught between the high bar of Internet-scale interoperability and the niche requirements of specialized hardware. That gap is now closing. Earlier this month, we announced that Cloudflare has moved its target for full post-quantum security forward to 2029, spurred by several recent advances in quantum computing.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Cloudflare Blog.
Discussion
0 commentsMore from The Cloudflare Blog
