Posted On: Aug 2, 2022

Connections to AWS Secrets Manager now support hybrid post-quantum key establishment using Kyber for transport layer security (TLS) from Round 3 of the NIST Post-Quantum Cryptography (PQC) selection process. This allows you to measure the potential performance impact of the post-quantum algorithm. You can also benefit from the longer-term confidentiality afforded by hybrid post-quantum TLS.

Hybrid post-quantum TLS combines a classical key agreement, such as ECDHE, with a post-quantum key encapsulation mechanism, in this case Kyber, which NIST has selected for future standardization. The result is that your TLS connections inherit the security properties of both the classical and post-quantum key exchanges.  

Hybrid post-quantum TLS for connecting to AWS Secrets Manager is available in all AWS Regions except for AWS GovCloud (US), AWS China (Beijing) region, operated by Sinnet, and AWS China (Ningxia) region, operated by NWCD. This hybrid post-quantum TLS cipher performs an additional post-quantum key exchange during the TLS handshake while connecting to Secrets Manager API endpoints.

For more information about hybrid post-quantum TLS support, read the documentation. Learn more about what Amazon is doing to prepare for a post-quantum cryptographic future on the Amazon Science Blog.