GitHub adds a post‑quantum secure SSH key exchange algorithm to protect Git data.

GitHub is enabling sntrup761x25519‑sha512, a hybrid key exchange that merges a post‑quantum primitive with the classic X25519 elliptic curve, to safeguard SSH connections against future quantum attacks.

Why a post‑quantum algorithm is needed

Traditional key exchange methods could be vulnerable if powerful quantum computers become available. Adding a quantum‑resistant layer ensures encrypted sessions remain confidential even after long‑term storage.

• Mitigates store now, decrypt later threats.
• Provides forward‑looking security without replacing existing cryptography.
• Aligns with industry moves toward quantum‑safe protocols (post‑quantum cryptography).
• Retains compatibility with current SSH clients that support the algorithm.
• Prepares GitHub infrastructure for upcoming cryptographic standards.

Algorithm composition and operation

The new exchange combines Streamlined NTRU Prime with Elliptic Curve Diffie‑Hellman on the X25519 curve, creating a hybrid that defaults to the strongest shared method.

• sntrup761 implements the NTRU Prime lattice‑based scheme.
• X25519 offers fast, widely‑adopted elliptic‑curve Diffie‑Hellman.
• Both sub‑algorithms generate a shared secret the final key is derived from the combined output.
• The hybrid design ensures security is at least as strong as the classical component.
• Algorithm identifier appears as sntrup761x25519-sha512 or sntrup761x25519-sha512@openssh.com.

Client compatibility and upgrade guidance

Modern OpenSSH releases (9.0+) already include the algorithm. Older clients will automatically fall back to legacy exchanges, preserving connectivity while missing the quantum‑resistant benefit.

• Run ssh -Q kex to list supported key exchange algorithms.
• Use ssh -v git@github.com and filter for kex: algorithm: to see the chosen method.
• Upgrade to OpenSSH 9.0 or later for automatic selection.
• If custom SSH configs force a specific algorithm, adjust or remove the override.
• Non‑SSH Git URLs (https://) are unaffected.

Rollout schedule and regional considerations

The hybrid exchange becomes active on September 17 2025 for GitHub.com and non‑US Enterprise Cloud regions. US‑based services remain limited to FIPS‑approved algorithms until a compliant post‑quantum option is available.

• GitHub.com and global Enterprise Cloud receive the update simultaneously.
• US residency deployments retain current key exchanges due to FIPS constraints.
• Future updates may introduce FIPS‑approved post‑quantum methods.
• Monitoring tools will report algorithm usage in real time.
• Administrators can view region‑specific settings via the GitHub security dashboard.

Verification, troubleshooting, and further reading

Confirm the algorithm is in use and address any connectivity issues with the steps below. Additional guidance is available in GitHubs internal knowledge base.

• Execute ssh -Q kex | grep sntrup761x25519 to verify client support.
• Inspect verbose SSH logs for the line kex: algorithm: to see the negotiated method.
• If the algorithm is not selected, ensure the client version meets the minimum requirement.
• Review GitHubs GitHub Subissues best practices for workflow impacts.
• Consult the triangular workflows guide for CLI‑related adjustments.