Home
Unchained
Engineering Blog

Chainguard Containers Enabled with PQC Support

Dimitri John Ledkov, Principal Software Engineer, John Slack, Senior Product Manager, and Patricia Gaughen, Senior Engineering Manager

Key Takeaways


  • Support for Post-Quantum Cryptography (PQC) is in active development.

  • Chainguard Containers now support PQC.

  • PQC offers protection against “harvest-now, decrypt later”.

  • FIPS certified PQC is being prepared for submission.


What is Post-Quantum Cryptography?


Post-Quantum Cryptography (PQC) is a set of algorithms that can withstand attacks by future quantum computers. Many currently prevalent algorithms — particularly asymmetric algorithms such as RSA and ECC (e.g. P-256 & Ed25519) — are vulnerable to attacks from quantum computers, and are therefore not considered PQC. In contrast, other algorithms with symmetric encryption (e.g. AES) and cryptographic hashes (e.g. SHA2-256) are expected to remain resistant to attacks from quantum computers.


The National Institute of Standards and Technology (NIST) is actively developing PQC standards. In 2024, NIST’s PQC Project published FIPS 203, FIPS 204 and FIPS 205. Parallel efforts at the Internet Engineering Task Force (IETF) strives to integrate PQC into other standards: for example, by utilizing FIPS 203 ML-KEM and FIPS 204 ML-DSA for TLS 1.3 and CMS respectively.


While PQC may seem like the solution to a distant problem (NIST’s draft transition timeline targets adoption in 2035), “harvest now, decrypt later” attacks pose a more immediate threat. If encrypted communication can be recorded and stored today, then it could be decrypted once quantum computing becomes powerful enough. This is known as “Q-day.” Protecting today’s communication against the future “Q-day” is driving many organizations towards more aggressive timelines for PQC, and is the reason ML-KEM-based TLS key-exchange is needed much sooner than 2035.


What is Chainguard doing to offer PQC today? 


As of April 2025, Chainguard Containers have been upgraded with PQC support through the following upstream releases:



These releases implement FIPS 203 ML-KEM as well as other PQC algorithms, providing meaningful PQC support for TLS and SSH based communications.


This enables Chainguard Containers customers to start protecting sensitive communications today, so they can remain private for more than 10 years, regardless of when “Q-day” comes. In addition, developers using Chainguard base images can now develop their own applications with PQC support.


When will FIPS certified implementations become available for PQC?


Now that non-certified implementations of PQC are available, the certification process can begin in earnest. For Java, BouncyCastle FIPS Java API (BC-FJA) 2.2.0 is in testing with ML-KEM support. In addition, Chainguard plans to submit the OpenSSL 3.5 based FIPS module with ML-KEM in approved mode for certification later this year. Upon submission, certification approval typically takes two years.


Summary


Chainguard Containers now offer protection against “harvest now, decrypt later” quantum computing threats. With Chainguard base images, customers can now start developing and deploying applications with PQC support. Chainguard and our partners are pleased to provide updates on our progress toward achieving FIPS certified PQC implementations. Reach out today to give us feedback to help us enhance our offerings. We look forward to sharing continued updates on our progress.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Talk to an expert