Anyone with long-lived sensitive data
If what you're sending now would still be sensitive in 2035 (health records, legal documents, source code, personal communications), PQC is the only thing keeping it private long-term.
//07Post-quantum
Encrypted against computers that don't exist yet.
ML-KEM-768 + X25519 hybrid key exchange on every connection. NIST FIPS 203 standard. Your sessions stay private against tomorrow's quantum computer.
//01Why this matters
Harvest now, decrypt later.
State-level adversaries already record encrypted traffic at scale, betting that practical quantum computers will let them decrypt it within the next 10-15 years. The cryptography that protects most internet traffic today — RSA, ECDH, ECDSA — is provably breakable by a sufficiently powerful quantum computer using Shor's algorithm. Anything you send through a VPN today that depends on those primitives could be readable in 2035. Post-quantum cryptography fixes this now, not when the quantum computer arrives, because by then your archived traffic is already in the queue.
//02How it works
Hybrid KEM, every session, no fallback.
On every connection, SecureFox negotiates a hybrid key exchange combining X25519 (classical, fast, well-understood) with ML-KEM-768 (post-quantum, NIST FIPS 203). The session key is derived from both — to break it, an attacker needs to break BOTH. ML-KEM-768 is quantum-resistant by design; X25519 is the fallback in case some unknown weakness is later found in ML-KEM. There is no non-PQC fallback path — even if you're on a server that doesn't support hybrid (we audited; they all do), the connection fails closed rather than downgrading.
PQ algorithmML-KEM-768 (NIST FIPS 203)
Classical algorithmX25519 (RFC 7748)
Hybrid modeConcatenated KDF — must break both
NegotiationMandatory; no PQC-disabled fallback
//03Use cases
Who needs PQC today.
Journalists, activists, dissidents
State-level recorded traffic is the most-targeted dataset for future quantum decryption.
Anyone who'd rather not bet on quantum timelines
Nobody knows exactly when practical quantum computing arrives. PQC is the only certainty that 'it doesn't matter for your traffic'.
//04What you get
Quantum-safe by default.
- ML-KEM-768 hybrid key exchange on every session
- NIST FIPS 203 standard — government-grade approval
- No 'enable PQC' toggle — it's mandatory, always on
- Hybrid mode protects against unknown weaknesses in either algorithm
- Forward secrecy: each session uses fresh keys, harvest-now-decrypt-later attacks fail
//05PQC FAQ
Common questions about post-quantum cryptography.
When will quantum computers actually break current crypto?+
Most credible estimates put the threshold at 2030-2040 for breaking RSA-2048 or P-256. Cryptographically relevant quantum computers don't exist yet. The point of PQC today is that adversaries are already archiving traffic in anticipation.
Why ML-KEM-768 specifically?+
It's the NIST-selected lattice-based key encapsulation mechanism, standardised as FIPS 203 in August 2024. It offers a strong security-performance balance and has the broadest ecosystem support of any PQ algorithm.
Does PQC slow down my connection?+
Negligibly. ML-KEM-768 adds about 1KB to the handshake and a few hundred microseconds of CPU. Once the session key is established, the data path is the same AES-256-GCM as any other connection.
Why hybrid instead of pure PQC?+
PQ algorithms are newer and less battle-tested than X25519. Hybrid mode means an attacker needs to break BOTH — so even if some weakness is later found in ML-KEM, you're still protected by X25519.
Do other VPNs offer this?+
A few do, usually as an opt-in. We chose to make it mandatory because the cost is negligible and the harvest-now-decrypt-later attack is already happening.
//06Features
Related features
[ Ready ]
Try it free.
Anonymous mode gives you 1 GB every week, no account required. Sign up later for 2 GB.