About Post-Quantum Cryptography in Network Connector

Post-Quantum Cryptography (PQC) in the Network Connector protects the communication channel between Segura® Platform and isolated environments against future quantum computing attacks. This document explains what PQC is, why it matters, and how it works in the context of Network Connector.

How it works

The Network Connector acts as a secure transport channel between Segura® Platform and environments that are not directly reachable, such as on-premises networks, private infrastructure, or regulated environments.

PQC addresses this by using algorithms whose mathematical hardness is not broken by quantum algorithms. Starting with v4.2.2, Network Connector supports PQC using a hybrid model: the channel uses both classical and post-quantum algorithms simultaneously for key exchange and secure channel establishment.

Hybrid model

In the hybrid model, a secure channel is only established if both the classical and post-quantum key exchanges succeed. This means:

If an attacker can break classical cryptography (future quantum threat), the post-quantum layer still protects the channel.
If an unexpected flaw is found in a post-quantum algorithm, the classical layer still protects the channel.
Existing connectors and environments continue to operate during the transition period.

The hybrid algorithm suite used in this implementation is MLKEM768x25519-SHA256, which combines:

ML-KEM-768 - The NIST-standardized post-quantum key encapsulation mechanism.
X25519 - The classical elliptic-curve Diffie-Hellman key exchange.
SHA-256 - Used for key derivation and integrity.

Network layer changes

PQC uses a dedicated TCP port (51446) for communication between the agent and the vaults. This port is separate from the standard port (51445) used for classical encryption. Both ports can coexist:

Mode	TCP Port
Classical (standard)	`51445`
Post-Quantum (PQC)	`51446`

The new port (51446) is automatically released in the VM firewall during the upgrade process. However, it must also be manually opened on the customer's network devices (firewalls, access control lists) for PQC traffic to flow correctly.

Monitoring

Network Connector logs include a connection status report displayed every 5 seconds. This report shows the current connection mode (classical or PQC) and can be used by support teams and administrators to confirm which cryptographic mode is active. All cryptographic events and metadata are recorded for audit purposes.

More information in Network Connector Status log.

Key features

Hybrid classical/post-quantum model: Both algorithm types protect the channel simultaneously, providing defense in depth during the cryptographic transition period.
No operational changes for users: PQC operates entirely at the infrastructure level. No workflow changes are visible to users.
Backward compatibility: Connectors that have not yet been upgraded continue to operate using classical encryption. There is no forced cutover.
Audit logging: The cryptographic mode used in each connection is recorded in the logs.
Configurable per agent: PQC is enabled through an environment variable in the agent's configuration, giving administrators control over which agents use it.

Applicability

PQC in the Network Connector is relevant in the following scenarios:

Regulated and government environments: Organizations subject to compliance frameworks that already require or are beginning to mandate post-quantum cryptographic readiness (e.g., NIST SP 800-208, CNSA 2.0 requirements).
Long-lived sensitive communications: Environments where data confidentiality must be guaranteed for many years — making them targets for "harvest now, decrypt later" attacks.
Enterprise security roadmaps: Organizations that need to demonstrate a clear PQC adoption roadmap to auditors, partners, or customers.
Critical infrastructure: Deployments in environments where any future compromise of the communication channel would have severe consequences.

Limitations

Scope is restricted to the Network Connector channel. PQC applies exclusively to the communication between the Network Connector agent and the Segura® Platform vaults. It does not affect other communication channels within the platform.
Post-upgrade CLI steps are required. PQC is not activated automatically after a platform upgrade. Administrators must run specific CLI commands on primary and secondary instances before PQC becomes available. More information in How to enable Post-Quantum Cryptography in Network Connector.
Firewall configuration is required. TCP port 51446 must be manually opened on customer network devices. Environments that do not open this port cannot use PQC.
PQC must be explicitly enabled per agent. Agents use classical encryption by default (SENHASEGURA_QUANTUM_ENABLED: "false"). Administrators must update each agent's configuration to enable PQC.
No automatic fallback to classical encryption. If an agent is configured with SENHASEGURA_QUANTUM_ENABLED: "true" but the server is not ready (for example, the orbit network-connector setup command has not been run), the agent will not fall back to classical encryption. It will loop attempting to establish a PQC channel and log connection errors until the issue is resolved. This is by design: if an administrator has chosen PQC, the system treats that as an explicit security decision.