Cloudflare Launches Post-Quantum Encryption for IPsec to Thwart Future Quantum Attacks

By

Breaking: Cloudflare Makes Post-Quantum IPsec Encryption Generally Available

Cloudflare announced today the general availability of post-quantum encryption for its IPsec service, a move that lets enterprises shield wide-area networks against harvest-now-decrypt-later attacks using existing hardware. The new encryption, based on the hybrid ML-KEM standard (FIPS 203), has been tested successfully with branch connectors from Fortinet and Cisco.

“This is a critical step to protect network traffic against the looming threat of quantum computers breaking current encryption,” said a Cloudflare spokesperson. “Organizations can now deploy post-quantum security without replacing their hardware.”

The announcement comes as quantum computing advances accelerate, prompting Cloudflare to move its target for full post-quantum security to 2029. The company notes that while TLS traffic is already largely protected, IPsec has lagged due to interoperability challenges.

Background: The Long Road to Post-Quantum IPsec

IPsec has been the backbone of site-to-site networking for decades, but implementing post-quantum cryptography proved far more complex than for TLS. The IPsec community had to balance Internet-scale interoperability with the constraints of specialized hardware.

“It took four years longer to land the hybrid handshake for IPsec than for TLS,” a Cloudflare engineer explained. “But now the industry is finally consolidating around a standard that works at scale.”

The new draft, draft-ietf-ipsecme-ikev2-mlkem, combines classical Diffie-Hellman with ML-KEM to ensure security even if one is broken. ML-KEM is software-based and requires no special hardware.

What This Means for Enterprise Networks

Harvest-now-decrypt-later attacks are a growing concern as Q-Day—the day quantum computers can crack public-key cryptography—approaches faster than predicted. With this launch, organizations can start encrypting their WAN traffic today to prevent adversaries from harvesting data for future decryption.

“Cloudflare IPsec customers can now enable post-quantum protection with no downtime or hardware upgrades,” said the spokesperson. “It’s a plug-and-play defense against tomorrow’s threats.”

The service is available immediately for all Cloudflare IPsec users. The company recommends testing on non-critical tunnels first, given the larger handshake size.

Key Benefits at a Glance

• Future-proof security: Hybrid ML-KEM protects against both current and quantum attacks.
• Hardware compatibility: Works with existing Cisco, Fortinet, and other branch connectors.
• No infrastructure change: Software-based algorithm runs on standard processors.

For more details, visit the official announcement.

Related Articles

• The Compact Smartphone Is Officially Dead: Galaxy S26 Proves We’ve Given Up on One-Handed Use
• US-Sanctioned Crypto Exchange Grinex Halts Operations After $15 Million Hack Blamed on 'Unfriendly States'
• A Step-by-Step Guide to Betting on Hantavirus Outbreaks via Prediction Markets
• AI Arms Race Drives Big Tech Capex to Record Highs: Amazon, Microsoft, Google Reveal Hundreds of Billions in Spending
• Understanding ANSI Escape Code Standards: A Q&A Guide
• 10 Critical Facts About the FakeWallet Crypto Stealer Infiltrating Apple's App Store
• 10 Key Insights into Gnosis DAO’s Treasury Redemption Vote and the Whale vs. Founder Showdown
• Everything You Need to Know About GitHub Copilot's Shift to Usage-Based Billing