Post-Quantum Encryption Now Available Across Cloudflare One
Cloudflare has extended post-quantum cryptographic protection to its complete Secure Access Service Edge (SASE) platform. Building on its earlier launch of post-quantum Secure Web Gateway and Zero Trust solutions during Security Week 2025, the company now offers standards-compliant post-quantum hybrid ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) across all major on-ramps and off-ramps.
What's New
Cloudflare IPsec WAN Protection — Post-quantum encryption is now available for Cloudflare IPsec, the cloud-native WAN-as-a-Service that establishes encrypted tunnels from customer networks to Cloudflare's global infrastructure. This service currently operates in closed beta; organizations can request access via Cloudflare's beta signup page.
Cloudflare One Appliance Support — The physical or virtual WAN appliance now includes post-quantum encryption support as of version 2026.2.0, which is generally available today. The appliance establishes Cloudflare IPsec connections and simplifies configuration while providing automatic failover to healthy data centers.
Why This Matters
Regulatory Deadline Approaching — The National Institute of Standards and Technology (NIST) has set a 2030 deadline for deprecating RSA and Elliptic Curve Cryptography (ECC) in favor of post-quantum alternatives. Organizations that delay migration risk non-compliance as the deadline nears.
Crypto Agility — Modern enterprises need the ability to swap cryptographic algorithms without extensive system overhauls. Historical precedent shows that deprecating cryptography takes decades (MD5 caused problems 20 years after deprecation). Built-in post-quantum support within Cloudflare One simplifies remote access and site-to-site connectivity provisioning.
Harvest Now, Decrypt Later — Adversaries are already collecting encrypted network traffic to decrypt once quantum computers become powerful enough. Organizations with data sensitive beyond a few years (financial records, health information, state secrets) face present risk without post-quantum protection.
Technical Details
The ML-KEM standard has achieved broad industry adoption for TLS key agreement, typically deployed alongside classical ECDHE to create "hybrid ML-KEM"—a dual-algorithm approach with no reduction in security. Over 60% of human-generated TLS traffic to Cloudflare's network now uses hybrid ML-KEM, demonstrating adoption viability. The hybrid approach offers minimal performance impact and requires no specialized hardware or physical infrastructure.