Cloudflare adds quantum-safe encryption across SASE

Cloudflare has rolled out post-quantum encryption support across its secure access service edge (SASE) platform, extending the technology beyond web traffic to private network links used by branches and data centres.

It now supports modern post-quantum encryption standards across the main elements of its Cloudflare One SASE offering, covering traffic from users through corporate locations and into cloud environments.

Post-quantum cryptography is designed to resist attacks from future quantum computers. Security agencies and standards bodies have warned that quantum computing could undermine widely used public-key encryption methods that protect data in transit.

US standards body NIST has urged organisations to upgrade cryptographic algorithms by 2030. Technology suppliers and large enterprises have already started to test and deploy new schemes, partly because of a risk known as "harvest now, decrypt later".

That threat involves adversaries collecting encrypted data now and storing it until advances in computing make decryption practical. It is most relevant for information that retains value over long periods, including health records, financial data and sensitive corporate communications.

Platform scope

Cloudflare's post-quantum coverage includes Zero Trust access controls and secure web gateway services, which it introduced previously. The latest updates extend support to IPsec and wide-area networking traffic, which commonly connects sites and remote networks back to corporate systems.

IPsec is a set of standards used for virtual private networks and site-to-site connectivity, often underpinning connections between branches, data centres and cloud environments. Adding post-quantum cryptography at this layer aims to reduce exposure in networks that rely on long-lived tunnels and persistent connectivity.

Cloudflare also highlighted support through the Cloudflare One Appliance, used in some deployments for on-premise connectivity and traffic steering. With the update, it says the major SASE components it offers are now protected using post-quantum standards.

Network routing

The changes are integrated into Cloudflare's global network, using a high-availability routing approach that automatically shifts IPsec traffic to another data centre if one becomes unavailable.

Resilient routing is a key requirement for organisations running critical applications over private links, where outages can disrupt core systems and operational processes. For SASE providers, availability also affects security controls that depend on consistent inspection and policy enforcement.

Cloudflare says its IPsec implementation follows the latest internet standards and supports interoperability across vendors. Cross-vendor compatibility remains important in enterprise networking, where organisations often run mixed environments during transition periods.

Cost and upgrades

Cloudflare says the post-quantum features are delivered natively through the platform, with no hardware upgrades or added cost. The claim addresses a common obstacle in cryptographic migrations, which often require changes to network devices, operating systems and client software.

Large-scale cryptography upgrades can take years because they affect endpoints, network infrastructure, applications and third-party integrations. For multinational organisations, the work can also involve procurement cycles and regulatory oversight.

In 2025, Cloudflare introduced post-quantum protections for its Secure Web Gateway and Zero Trust services. It describes this week's addition of IPsec and WAN support as completing post-quantum coverage across its SASE footprint.

Interest in post-quantum readiness is rising across the market, with suppliers updating TLS stacks, certificate services and VPN products. Enterprises are also assessing how to prioritise data types and network segments where long-term confidentiality matters most.

Matthew Prince, chief executive officer and co-founder of Cloudflare, said the company has been working on post-quantum standards for several years.

"Securing the Internet against future threats shouldn't be a complex burden, or a reason to fragment the web. Since 2017, we've been doing the heavy lifting to bake post-quantum standards directly into the fabric of our network," Prince said. "By bringing this protection to our entire SASE platform, we're making post-quantum security the default-no hardware upgrades, no complex configurations, and no added cost. We're ensuring that the secure connections our customers rely on today stay secure for the long haul."

Cloudflare said its quantum-safe SASE platform is available now.