Kubernetes Blog
Follow
Post-Quantum Cryptography in Kubernetes
Post-Quantum Cryptography (PQC) is a response to the threat of quantum computers breaking current cryptographic standards. PQC algorithms are designed to be secure against attacks by both classical and quantum computers. The industry is working to standardize and adopt PQC algorithms, with the first standardized algorithm being the Module-Lattice Key Encapsulation Mechanism (ML-KEM). The transition to PQC standards is expected to take place between 2030 and 2035. In TLS, key exchange and digital signatures are two main cryptographic operations that need to be secured, with key exchange being a higher priority due to the risk of attacks. Hybrid key exchange mechanisms, which combine classical and PQC algorithms, are being adopted to secure key exchange. Support for PQC key exchange mechanisms is rapidly improving across the ecosystem, with Go, browsers, OpenSSL, and Apple all adding support for the ML-KEM based hybrid scheme. Kubernetes v1.33, which uses Go 1.24, supports hybrid post-quantum X25519MLKEM768 for TLS connections by default, making it a significant step towards making Kubernetes quantum-safe. However, there are still limitations and potential pitfalls, such as Go version mismatches and packet size issues, that need to be addressed. PQC digital signatures are still in the early stages of development and adoption, with challenges including larger key and signature sizes, performance issues, and limited toolchain support.