Post-Quantum-Safe Cryptography for OpenSSH
Quantum computing introduces a future risk to today's encrypted communications. Even though large‑scale quantum computers capable of breaking modern encryption do not yet exist, attackers can still capture encrypted data now with the intent to decrypt it later. This threat model is known as:
- Harvest Now, Decrypt Later (HNDL)
- Store Now, Decrypt Later (SNDL)
Once sufficiently powerful quantum computers become available, any data captured today using traditional cryptography may be decrypted retroactively.
Why This Matters
Intelligence disclosures have shown that mass‑collection programs such as NSA's PRISM operated on a collect‑now, analyze‑later model. Most credible security researchers now agree that multiple nation‑states actively perform HNDL/SNDL operations, including:
- People's Republic of China (PRC)
- Russia
- Five Eyes nations (Australia, Canada, New Zealand, UK, and USA)
- Israel
- Iran
- North Korea
These actors are capable of long‑term data harvesting and may be targeting information that will still be valuable years from now.
Data Types Most at Risk Today
The following categories are widely considered active HNDL targets:
- Government or classified communications
- Long‑lived secrets
- Intellectual property (R&D, AI models, pharmaceuticals, defense technologies)
- Identity and authentication material
- Encrypted archives and backups
As quantum capabilities mature, this list will expand—making it important to begin adopting Post‑Quantum (PQ) secure protocols now.
OpenSSH and Post‑Quantum Readiness
Starting with OpenSSH 9.0, hybrid post‑quantum key exchange (KEX) algorithms are supported. Hybrid PQ algorithms combine traditional elliptic‑curve cryptography with post‑quantum algorithms like sntrup761 and mlkem768, providing security even if one component is later broken.
| OS / Distro | PQ Support |
|---|---|
| RHEL 10 | PQ support included natively |
| SUSE Leap 15.6 / 16 | Supported via cryptography policy update |
| Ubuntu 24.04 LTS & 24.10 | Supported via system crypto policy update |
| Debian 12 | Supported via policy update |
| Windows Server | Depends on the installed OpenSSH version |
Note: Configuring or updating system crypto policies varies by distribution and is outside the scope of this document.
How to Check Post‑Quantum Algorithm Support
Check Supported Key Exchange Algorithms (Client Side)
Run:
ssh -Q kex | grep -E 'sntrup|mlkem'
Look for:
[email protected]
Verify What Algorithm Is Actually Used (During Connection)
Run:
ssh -vv user@host
In the debug output, confirm that one of the PQ/hybrid algorithms appears in the negotiated KEX.
Check Server-Side Support
On the server:
sshd -T | tr ',' '\n' | grep -E 'sntrup|mlkem'
Force a PQ-Safe Key Exchange (Client Side)
Example:
ssh -o [email protected] user@
Client Compatibility
- Windows 11 (fully patched)
- Built‑in SSH client does not currently support PQ algorithms.
- PuTTY 0.83
- Supports both:
Summary
Adopting post‑quantum–safe SSH today helps defend against HNDL/SNDL attacks by ensuring that sensitive data recorded now cannot be decrypted by future quantum computers.
Organizations should:
- Ensure servers run OpenSSH 9.0 or newer.
- Verify OS crypto policies allow PQ hybrid algorithms.
- Confirm both clients and servers negotiate PQ-safe key exchange.
- Begin transitioning critical workflows—especially long‑term secrets and archives—to PQ‑capable tools.