Enabling Post-Quantum Encryption on subscription.rhsm.redhat.com and cdn.redhat.com

On 02-Jun-2026, Red Hat will enable post-quantum cryptography (PQC) key exchange on subscription.rhsm.redhat.com, Red Hat will enable post-quantum cryptography (PQC) key exchange on subscription.rhsm.redhat.com and cdn.redhat.com. This change adds support for hybrid post-quantum key exchange algorithms in TLS connections to these services.

Why do we need to change to a post-quantum encryption key exchange?

Advances in quantum computing pose a future threat to the cryptographic algorithms widely used today. Of particular concern is the "harvest now, decrypt later" attack strategy, where adversaries collect encrypted network traffic today with the intent of decrypting it once sufficiently powerful quantum computers become available. By enabling post-quantum key exchange now, we ensure that TLS sessions with these services are protected against this class of future attack, safeguarding the confidentiality of data in transit.

What potential issues could customers see?

Customers should not experience any disruption from this change. TLS key exchange is negotiated between the client and server during the handshake. If a client does not support post-quantum key exchange algorithms, it will automatically fall back to a traditional supported key exchange method. Existing connections and workflows will continue to function as before.

What clients support PQC?

The following Red Hat Enterprise Linux versions support post-quantum key exchange:

Red Hat Enterprise Linux 10.1 and above PQC key exchange is supported by default
Red Hat Enterprise Linux 9.7 and above PQC key exchange is supported when using the DEFAULT:PQ system crypto policy

What about PQC certificates?

This change is only for enabling a PQC key exchange during the TLS handshake. We have plans to make an entire certificate chain of PQC certificates at a later date but it is not included as part of this change.