Today's encryption is unbreakable by classical computers, but a sufficiently large quantum computer could in principle recover the keys from recorded traffic. That's the harvest-now, decrypt-later threat. PQC defeats it by adding a quantum-resistant key exchange to every session.
What we use
ML-KEM-768 (FIPS 203, the NIST standard since August 2024) in a hybrid mode with X25519. The hybrid means even if one algorithm is broken later, the other still protects you.
Performance
PQC adds about 5 KB to the handshake and ~2 ms of CPU time. You won't notice it. It runs on every session by default; there's no setting to enable.
Why hybrid
Pure ML-KEM is theoretically sound but young. Pure X25519 is well-understood but quantum-vulnerable in the long run. The hybrid combines the two so the session is safe as long as either remains unbroken.