Skip to Content

Cloudflare One: First SASE Platform with Post‑Quantum Encryption (2026)

24 February 2026 by
Suraj Barman

Context & History

During Security Week 2025, Cloudflare introduced a cloud‑native post‑quantum Secure Web Gateway and Zero Trust solution, marking a shift toward protecting enterprise traffic against quantum threats. By early 2026 the company extended this capability across its entire SASE offering, making Cloudflare One the first platform to embed modern post‑quantum (PQ) encryption in both the Secure Web Gateway and Wide Area Network (WAN) services. This development follows NIST’s 2030 deadline for retiring RSA and ECC, a timeline that has already prompted many organizations to seek crypto‑agile alternatives.

Implementation & Best Practices

The rollout follows a two‑step migration path: first upgrading key agreement to hybrid ML‑KEM, then preparing for quantum‑resistant digital signatures. Teams should begin by evaluating existing tunnel configurations, then enable the hybrid mode in Cloudflare IPsec and the Cloudflare One Appliance. After confirming traffic flows correctly, organizations can plan for future signature upgrades while maintaining compliance.

Hybrid ML‑KEM Key Agreement

Hybrid ML‑KEM combines the traditional Elliptic Curve Diffie‑Hellman (ECDHE) exchange with the lattice‑based ML‑KEM protocol. This approach requires no specialized hardware and adds minimal latency, allowing seamless integration into existing TLS and IPsec tunnels. Key takeaway: hybrid mode delivers quantum‑resistant security without sacrificing performance.

IPsec Configuration for Post‑Quantum Mode

To activate PQ encryption, update the IPsec profile to the latest 2026.2.0 version on the Cloudflare One Appliance and request beta access for the cloud‑native IPsec service. Ensure the Anycast routing is enabled so traffic automatically follows the nearest healthy data center. Detailed guidance is available in the OpenAI‑Broadcom partnership overview, which outlines scaling considerations for large‑scale deployments.

Preparing for PQ Digital Signatures

While PQ signatures are larger than ECC equivalents, they are essential for protecting authenticity against future quantum adversaries. Begin by inventorying certificate authorities and evaluating support for emerging PQ signature schemes. Monitoring the upcoming NIST standardization updates will help align migration timelines.

Operational Checklist

  • Verify appliance firmware is version 2026.2.0 or later.
  • Enable hybrid ML‑KEM in IPsec and test connectivity to a staging environment.
  • Document Anycast routing paths and set up health‑check alerts.
  • Plan certificate renewal cycles to include PQ signature options.
  • Review compliance reports against the GPC standards draft for alignment with emerging privacy requirements.

Monitoring & Validation

After deployment, use Cloudflare’s analytics dashboard to monitor handshake success rates and latency metrics. Look for the “Hybrid ML‑KEM” tag in TLS logs to confirm active PQ usage. Regularly audit key rotation policies to maintain crypto‑agility.

Key takeaway: systematic validation ensures the SASE platform remains secure as quantum capabilities evolve.