← Back
Cloudflare
Cloudflare One adds post-quantum encryption across entire SASE platform
Cloudflare · featuresecurityplatformapi · blog.cloudflare.com ↗

Post-Quantum Encryption Now Available Across Cloudflare One

Cloudflare has announced that its Cloudflare One platform is the first SASE offering to support modern standards-compliant post-quantum encryption across all major components. The deployment includes post-quantum hybrid ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) encryption across Secure Web Gateway, Zero Trust, and Wide Area Network services.

What's New

  • Cloudflare One Appliance: Post-quantum encryption support is generally available as of version 2026.2.0. The appliance establishes encrypted tunnels from customer networks to Cloudflare's global network.
  • Cloudflare IPsec: Support for post-quantum encryption is now in closed beta. Customers can request access through Cloudflare's closed beta program. IPsec runs at the scale of Cloudflare's global network and supports both site-to-site WAN connections and outbound internet connectivity.

Why This Matters

The shift to post-quantum cryptography is urgent, not distant:

  • NIST Deadline: The National Institute of Standards and Technology set a 2030 deadline for deprecating RSA and Elliptic Curve Cryptography (ECC), requiring organizations to migrate to post-quantum standards.
  • Harvest Now, Decrypt Later Threat: Attackers are currently harvesting encrypted network traffic to decrypt later when quantum computers become sufficiently powerful. Any data with a lifespan beyond a few years—financial records, health data, state secrets—is already at risk.
  • Crypto Agility: Cryptographic upgrades are historically slow and difficult; MD5 caused problems 20 years after deprecation. Integrating PQ encryption directly into Cloudflare One provides built-in crypto agility to simplify future transitions.

Technical Implementation

Cloudflare is deploying hybrid ML-KEM, which runs in parallel with classical Elliptic Curve Diffie Hellman (ECDHE) key agreement. This hybrid approach stops harvest-now-decrypt-later attacks while maintaining backward compatibility with classical cryptography and incurring minimal performance impact. Over 60% of human-generated TLS traffic to Cloudflare's network is already protected with hybrid ML-KEM.

Next Steps

Organizations using Cloudflare One should update to appliance version 2026.2.0 or later to enable post-quantum encryption. Those interested in the closed beta for Cloudflare IPsec post-quantum support can request access via Cloudflare's security program.