PQC Unlocked: Securing Data in the Quantum Era

rigoel · ‎10-15-2025

Quantum computing is no longer a distant concept—it's reshaping how we think about security today. Imagine a future where the encrypted data you send now could be decrypted years later by quantum-powered adversaries. This "harvest now, decrypt later" threat is real, and organizations must act proactively to protect sensitive information.

Enter the Cisco 8000 Series Secure Routers, designed to help you stay ahead of this quantum curve. These routers support quantum-safe encryption using Post-Quantum Pre-shared Keys (PPKs) based on RFC 8784, which strengthen IKEv2 and IPsec sessions against both classical and quantum attacks. By combining PPKs with Diffie-Hellman secrets, they create session keys resilient to even the most advanced quantum threats.

What’s truly empowering is the Bring Your Own Key (BYOK) capability via the Secure Key Integration Protocol (SKIP). This flexibility lets you choose your key sources—from your own key management systems to Cisco Secure Key Server or even quantum key distribution solutions—tailoring security to your unique needs and compliance requirements.

Currently, quantum-resistant PPKs are deployable on IKEv2-based IPsec VPNs like FlexVPN and DMVPN, securing data traversing IPsec tunnels. Available starting with Cisco IOS XE Release 17.11.1a, this feature enables organizations to future-proof their networks today.

Are you ready to rethink your security strategy and embrace a quantum-resilient future? Dive deeper into the possibilities and explore the full potential of Cisco 8000 Series Secure Routers by reading the attached detailed whitepaper below. Equip your organization to safeguard data now and prepare for tomorrow’s quantum era.

Marvin Rhoads · ‎11-03-2025

@rigoel,

Thanks for sharing this informative document. I look forward to the release of comprehensive PQC in Cisco's firewall platforms.

Joseph W. Doherty · ‎11-04-2025

I agree with @Marvin Rhoads , the attachment is an interesting read, but yet . . .

Personally, I wouldn't be too concerned about quantum-powered adversaries, just yet. In my experience, long term future developments don't often come about as expected, let alone those that come about but are unexpected.

Yes, "harvest now, decrypt later" is a very real possibility, regardless of the specific future decryption technology that comes along. Anyone who studies cryptology should understand that. I.e. all encryption (excluding the one time pad) is assumed it can eventually be broken. So, the encryption is often considered whether it can secure your data until such time breaking it has no or little value.

As fine as something like RFC 8784 might additionally protect some form of VPN tunnel, there's so, so much more that needs to be considered regarding data protection. For example, companies that have had major data breaches and/or their data is encrypted by an outsider and decryption is ransomed, vs. future, years from now of today's in-flight transmitted data decryption, possibly, current data security should be a more important concern.

I'm sure Cisco 8000 Series Secure Routers are, or will be fine, devices, but from my reading of RFC 8784, any device doing current encryption, should be easily (?) updatable, via software, without adding much to current processing needs.

Even without something like RFC 8784 enhancements, many encrypting devices might be configured to make it more difficult to decrypt data, and/or minimize data volume exposure, using existing encryption options. (Actually, I would first suggest some form of security audit, to determine what your security requirements ought to be, and if they are currently being met.)