InfoQ Homepage News GitHub Rolls Out Post-Quantum SSH Security to Protect Code from Future Threats
GitHub Rolls Out Post-Quantum SSH Security to Protect Code from Future Threats
Nov 14, 2025 2 min read
Write for InfoQ
Feed your curiosity. Help 550k+ globalsenior developers
each month stay ahead.Get in touch
GitHub has introduced a hybrid post-quantum secure key-exchange algorithm for SSH access, marking one of the first major steps by a developer platform to defend against future cryptographic threats.
According to the company’s engineering blog, the sntrup761x25519-sha512 algorithm was enabled on 17 September 2025 across GitHub.com and most Enterprise Cloud regions outside the US.
The rollout has been phased, with some users reporting that their SSH connections are still negotiating legacy algorithms while regional updates conclude. U.S. regions remain subject to FIPS compliance requirements and are expected to follow later.
For developers, the change applies only to SSH remotes, leaving HTTPS operations unaffected. GitHub said existing key-exchange methods remain secure today but could be broken in the future by large-scale quantum computers. The hybrid model pairs the established X25519 elliptic-curve exchange with the Streamlined NTRU Prime algorithm to counter what it described as the "store now, decrypt later" risk.
That concern is not unique to GitHub. The Information Systems Audit and Control Association warned that "many organisations underestimate the rapid advancement of quantum computing and its potential to break existing encryption". A KPMG report similarly highlighted growing business concern that quantum technology could render current encryption obsolete within the coming years.
Although large-scale quantum attacks remain theoretical, the mathematics are clear. Public-key systems such as RSA and ECC rely on problems like factoring or discrete logarithms that quantum algorithms such as Shor’s could solve efficiently. In the SSH world, practitioners are already referencing the "harvest now, decrypt later" tactic as justification for acting early, as noted by SSH Communications Security.
For most GitHub users, the transition has been seamless. Clients running OpenSSH 9.0 or later automatically negotiate the new algorithm without requiring any configuration changes. Older clients continue to function but do not gain the post-quantum protection.
Some users have noted warnings shown by older SSH implementations. One post on the Atlassian community forum reported a message stating that "connection is not using a post-quantum key exchange algorithm" and may therefore be vulnerable to "store now, decrypt later" attacks, indicating that some clients are still relying on legacy exchanges.
Beyond GitHub, other organisations are experimenting with quantum-resilient protocols. The Open Quantum Safe project maintains libraries and test implementations, including hybrid SSH key-exchange support, to help organisations prepare for the post-quantum transition.
GitHub’s rollout demonstrates how post-quantum readiness is transitioning from theory to production systems. While quantum computers are not yet breaking encryption, the shift towards crypto-agility is gathering momentum. For organisations managing long-lived code or sensitive data, adapting now may prove vital to maintaining the security of that information for decades to come.
This content is in the DevOps topic
Related Topics:
-
Related Editorial
-
Related Sponsors
-
Popular across InfoQ
-
TanStack Start: A New Meta Framework Powered by React or SolidJS
-
Microsoft Patches Critical ASP.NET Core Vulnerability with 9.9 Severity Score
-
GitHub Expands Copilot Ecosystem with AgentHQ
-
Redis Critical Remote Code Execution Vulnerability Discovered after 13 Years
-
AWS Launches Capabilities by Region Tool
-
Architecture Should Model the World as It Really Is: A Conversation with Randy Shoup
-
Related Content
The InfoQ Newsletter
A round-up of last week’s content on InfoQ sent out every Tuesday. Join a community of over 250,000 senior developers. View an example