Cloudflare announced today it has completed the integration of post-quantum cryptography across its entire Cloudflare One SASE platform, becoming the first provider to offer comprehensive quantum-resistant encryption for enterprise networks. The rollout, which protects against future “Harvest Now, Decrypt Later” attacks by quantum computers, is available to all customers at no additional cost and requires no manual configuration for most users.
The implementation covers all major components of Cloudflare’s SASE platform, including the Secure Web Gateway, Zero Trust services, and the recently added WAN-as-a-Service offerings, according to the company’s blog post. This creates an end-to-end encrypted environment protecting data as it travels from user devices through Cloudflare’s network to private resources, even when destination servers lack quantum-resistant capabilities.
The system uses ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), the cryptographic standard selected by the U.S. National Institute of Standards and Technology, Cloudflare stated. The company employs a hybrid approach that runs post-quantum encryption alongside traditional algorithms like ECDHE, ensuring protection against both current and future threats while maintaining compatibility with older systems.
Phased Deployment Strategy
Cloudflare is executing a two-phase rollout to ensure stability across its customer base. The first phase, which the company says was completed for consumer WARP clients by September 2025 and expected for enterprise agents by year-end 2025, attempts quantum-resistant connections but falls back to classical encryption if necessary.
The second phase, scheduled for mid-2026, will enforce post-quantum connections exclusively, terminating any connection that cannot establish quantum-resistant encryption to prevent downgrade attacks, according to Cloudflare’s announcement. Enterprise administrators can activate this stricter security immediately through MDM configuration settings.
Market Implications
The move positions Cloudflare ahead of competitors in addressing quantum computing threats that security experts warn could compromise today’s encrypted data once quantum computers become sufficiently powerful. The company explicitly contrasts its standards-based approach with what it describes as competitors’ adoption of multiple non-standard ciphersuites that could create interoperability problems.
Cloudflare argues its implementation offers a practical alternative to Quantum Key Distribution (QKD), which the company deems impractical for widespread internet deployment. The integration extends across Layer 3, Layer 4, and MASQUE protocols, providing comprehensive coverage for various network configurations.
While Cloudflare reports minimal performance impact from the new encryption, specific benchmarks have not been published. The company indicates future updates will address post-quantum digital signatures for authentication, though this is considered less urgent than protecting data in transit.
Sources
- Cloudflare
