← Back
Cloudflare
Cloudflare One adds post-quantum encryption across SASE platform with hybrid ML-KEM support
Cloudflare · securityfeatureplatformapi · blog.cloudflare.com ↗

Post-Quantum Encryption Now Available Across Cloudflare One

Cloudflare has extended post-quantum cryptography (PQC) support to its complete SASE (Secure Access Service Edge) platform, completing a comprehensive security upgrade that began with its Secure Web Gateway launch during Security Week 2025. The platform now offers standards-compliant hybrid ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) encryption across all major on-ramps and off-ramps, protecting enterprise network traffic across Zero Trust, WAN, and web gateway use cases.

What's New

Immediate availability:

  • Cloudflare One Appliance support for post-quantum encryption is generally available as of version 2026.2.0
  • Cloudflare IPsec post-quantum support is now in closed beta (request access via Cloudflare's beta program)

Technical approach: The implementation uses hybrid ML-KEM, which runs in parallel with classical Elliptic Curve Diffie Hellman (ECDHE) to establish encryption keys. This hybrid approach maintains backward compatibility while adding quantum-resistant protection without requiring specialized hardware or physical connectivity constraints.

Why This Matters Now

Organizations cannot afford to delay post-quantum migration. NIST set a 2030 deadline for deprecating RSA and Elliptic Curve Cryptography, with other government agencies (BSI, NCSC) echoing similar timelines. Historical precedent is sobering: MD5 caused security problems 20 years after deprecation, demonstrating how cryptographic upgrades take decades to fully deploy.

The "Harvest Now, Decrypt Later" threat presents an immediate risk: attackers are already capturing encrypted traffic today to decrypt once quantum computers become powerful enough. Any data with multi-year shelf life—financial records, health data, state secrets—is vulnerable without post-quantum protection.

Developer Action Items

Organizations using Cloudflare One should:

  1. Update Cloudflare One Appliance deployments to version 2026.2.0 or later
  2. For IPsec users: request closed beta access to enable post-quantum protection in your WAN tunnels
  3. Audit your cryptographic inventory to identify which on-ramps and off-ramps require PQ migration

The hybrid ML-KEM approach shows minimal performance impact and provides built-in crypto agility—the ability to swap cryptographic algorithms—which will be essential for future standards transitions.