Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 11. Post-quantum cryptography

Post-quantum cryptography (PQC) provides cryptographic algorithms resistant to quantum computing threats, replacing traditional methods such as RSA and ECDSA that are vulnerable to quantum-based attacks.

Post-quantum cryptography (PQC), also known as quantum-resistant cryptography, uses encryption algorithms designed to resist attacks from quantum computers.

Quantum computers use principles of quantum mechanics to perform certain calculations significantly faster than classical computers, compromising widely used cryptographic algorithms.

Most current encryption methods rely on mathematical problems that classical computers cannot solve in a practical time. Large-scale quantum computers could solve some of these problems more efficiently, which would weaken the security of existing cryptographic systems.

In Red Hat OpenShift Service Mesh, cryptographic algorithms protect control plane and data plane communications, including mutual TLS (mTLS) between workloads. Enabling PQC strengthens these communications by introducing quantum-resistant key exchange mechanisms while maintaining compatibility with existing infrastructure.

Note

Post-quantum cryptography (PQC) algorithms are not available on OpenShift clusters running in FIPS mode.

Configure a quantum-secure gateway by using hybrid key exchange to protect service mesh ingress traffic against quantum computing threats.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
  • You have deployed the Istio and IstioCNI resources.

  • You have installed the following CLI tools locally:

    • oc
    • podman
    • curl

Procedure

  • Update the Istio control plane to enable PQC by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.27.8
  namespace: istio-system
  updateStrategy:
    type: InPlace
  values:
    meshConfig:
      accessLogFile: /dev/stdout
      tlsDefaults:
        ecdhCurves:
        - X25519MLKEM768
EOF

    • spec.values.meshConfig.tlsDefaults.ecdhCurves defines the setting that applies to all non-mesh Transport Layer Security (TLS) connections in your Istio deployment, including:

      • Ingress gateways: TLS connections from external clients.
      • Egress gateways: TLS connections to external services.
      • External service connections: Any TLS connections to services outside the mesh.
    Note

    This setting does not apply to mesh-internal mutual Transport Layer Security (mTLS). Communication between services within the mesh uses the default Istio mTLS configuration.

    • spec.values.meshConfig.tlsDefaults defines a configuration that is a mesh-wide setting that applies to all gateways and mesh-internal traffic. You cannot enable PQC algorithms for individual workloads. To use different TLS configurations for specific gateways, you must deploy separate control planes with a unique meshConfig.tlsDefaults settings.

Configure the Istio control plane to enforce a post-quantum cryptography (PQC) compliance policy, enabling quantum-resistant security for service mesh communications.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
  • You have deployed the Istio and IstioCNI resources.

  • You have installed the following CLI tools locally:

    • oc
    • podman
    • curl

Procedure

  • Update the Istio control plane to enable PQC by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.27.8
  namespace: istio-system
  updateStrategy:
    type: InPlace
  values:
    pilot:
      env:
        COMPLIANCE_POLICY: "pqc"
EOF
    • spec.values.pilot.env.COMPLIANCE_POLICY specifies the compliance policy that the Istio control plane enforces. Set the field to pqc to enable PQC.

Configure the Istio control plane and ztunnel to enforce a post-quantum cryptography (PQC) compliance policy, enabling quantum-resistant security for ambient mode service mesh communications.

Prerequisites

  • You are logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
  • You have deployed the Istio and IstioCNI resources with ambient mode enabled.

  • You have installed the following CLI tools locally:

    • oc
    • podman
    • curl

Procedure

  • Update the Istio control plane and ztunnel to enable PQC by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.27.8
  namespace: istio-system
  updateStrategy:
    type: InPlace
  values:
    pilot:
      env:
        COMPLIANCE_POLICY: "pqc"
    ztunnel:
      env:
        COMPLIANCE_POLICY: "pqc"
EOF
    • spec.values.pilot.env.COMPLIANCE_POLICY specifies the compliance policy for the Istio control plane. Set the field to pqc to enable PQC.
    • spec.values.ztunnel.env.COMPLIANCE_POLICY specifies the compliance policy for ztunnel in ambient mode. Set the field to pqc to enable PQC.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top