Chainguard Containers Enabled with PQC Support
Key Takeaways
Support for Post-Quantum Cryptography (PQC) is in active development.
Chainguard Containers now support PQC.
PQC offers protection against “harvest-now, decrypt later”.
FIPS certified PQC is being prepared for submission.
What is Post-Quantum Cryptography?
Post-Quantum Cryptography (PQC) is a set of algorithms that can withstand attacks by future quantum computers. Many currently prevalent algorithms — particularly asymmetric algorithms such as RSA and ECC (e.g. P-256 & Ed25519) — are vulnerable to attacks from quantum computers, and are therefore not considered PQC. In contrast, other algorithms with symmetric encryption (e.g. AES) and cryptographic hashes (e.g. SHA2-256) are expected to remain resistant to attacks from quantum computers.
The National Institute of Standards and Technology (NIST) is actively developing PQC standards. In 2024, NIST’s PQC Project published FIPS 203, FIPS 204 and FIPS 205. Parallel efforts at the Internet Engineering Task Force (IETF) strives to integrate PQC into other standards: for example, by utilizing FIPS 203 ML-KEM and FIPS 204 ML-DSA for TLS 1.3 and CMS respectively.
While PQC may seem like the solution to a distant problem (NIST’s draft transition timeline targets adoption in 2035), “harvest now, decrypt later” attacks pose a more immediate threat. If encrypted communication can be recorded and stored today, then it could be decrypted once quantum computing becomes powerful enough. This is known as “Q-day.” Protecting today’s communication against the future “Q-day” is driving many organizations towards more aggressive timelines for PQC, and is the reason ML-KEM-based TLS key-exchange is needed much sooner than 2035.
What is Chainguard doing to offer PQC today?
As of April 2025, Chainguard Containers have been upgraded with PQC support through the following upstream releases:
These releases implement FIPS 203 ML-KEM as well as other PQC algorithms, providing meaningful PQC support for TLS and SSH based communications.
This enables Chainguard Containers customers to start protecting sensitive communications today, so they can remain private for more than 10 years, regardless of when “Q-day” comes. In addition, developers using Chainguard base images can now develop their own applications with PQC support.
When will FIPS certified implementations become available for PQC?
Now that non-certified implementations of PQC are available, the certification process can begin in earnest. For Java, BouncyCastle FIPS Java API (BC-FJA) 2.2.0 is in testing with ML-KEM support. In addition, Chainguard plans to submit the OpenSSL 3.5 based FIPS module with ML-KEM in approved mode for certification later this year. Upon submission, certification approval typically takes two years.
Summary
Chainguard Containers now offer protection against “harvest now, decrypt later” quantum computing threats. With Chainguard base images, customers can now start developing and deploying applications with PQC support. Chainguard and our partners are pleased to provide updates on our progress toward achieving FIPS certified PQC implementations. Reach out today to give us feedback to help us enhance our offerings. We look forward to sharing continued updates on our progress.
Share this article
Related articles
- Engineering
It’s time to rethink golden images. Chainguard can help.
Chainguard helps teams build developer-centric golden image programs with zero-CVE, purpose-built containers—balancing speed, security, and standardization.
Sam Katzen, Staff Product Marketing Manager
- Engineering
Why building from source matters
Chainguard SVP of Engineering Dustin Kirkland discusses why Chainguard builds every package, library, and image directly from source and why the approach works.
Dustin Kirkland, SVP of Engineering
- Engineering
Accelerating Platform Adoption with Developer Trust
Chainguard helps Platform teams drive adoption with zero-CVE, customizable container images that make internal development platforms secure, fast, and trusted.
Sam Katzen, Staff Product Marketing Manager, and Matt Stead, Marketing
- Engineering
A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)
Chainguard has created the first-ever CVE-free, vulnerability-free Raspberry Pi image. Learn more about how it works and what makes this special.
Dustin Kirkland, SVP of Engineering
- Engineering
How CTOs Can Justify Technology Investments to the Board
Learn how CTOs can tie technology investments to increasing revenue, speeding innovation, and reducing risk and cost to drive positive business outcomes.
Matt Moore, CTO and Co-founder
- Engineering
Guest Post: Resiliency by Design and the Importance of Internal Developer Platforms
Gaurav Saxena, a Director of Engineering at an automotive company, talks through how internal developer platforms are an important part of resiliency by design.
Gaurav Saxena, Director of Engineering, Automotive Company