Protecting your secrets from tomorrow’s quantum risks
Security Blog
This article explains how AWS Secrets Manager now protects against quantum computing threats using hybrid post-quantum cryptography with ML-KEM key exchange.
- Secrets Manager supports hybrid post-quantum TLS combining traditional X25519 with ML-KEM algorithm
- Secrets Manager Agent v2.0.0+, Lambda extension v19+, and CSI Driver v2.0.0+ enable post-quantum TLS by default
- AWS SDKs for Rust, Go, Node.js, Kotlin, Python, and Java v2 support hybrid post-quantum key exchange with version requirements
- Verify post-quantum TLS active by checking CloudTrail tlsDetails keyExchange field shows X25519MLKEM768
- No code changes needed; upgrade client versions to enable protection against harvest now, decrypt later attacks
- CRYSTALS-Kyber support phasing out in 2026; older SDKs will fall back to traditional TLS
AWS Secrets Manager now provides quantum-resistant encryption for data in transit by default, requiring only client software upgrades to enable protection against future quantum threats.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Apr 14
2026
2026
AWS Secrets Manager now supports hybrid post-quantum TLS to protect secrets from quantum threats
Oct 3
2024
2024
Customer compliance and security during the post-quantum cryptographic migration
Nov 17
2025
2025
Securing the future: How AI Agents, Web3, and post-quantum cryptography are helping redefine digital trust
May 16
2024
2024
Delivering quantum information – a field-deployed quantum network
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.