From 4ba3174576244fdd224275cc87ca2e219a60a132 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:14:45 -0600 Subject: [PATCH 01/10] DOCS-426: document hybrid PQC coverage and reference page --- .../configure-gateway/_order.yaml | 1 + .../gateway-pqc-support-reference.md | 61 +++++++++++++++++++ .../configure-gateway/gateway-tls-settings.md | 6 +- .../configure-gateway/index.md | 2 + .../gateway-docker-advanced-configuration.md | 6 +- 5 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md diff --git a/docs/Akeyless Gateway/configure-gateway/_order.yaml b/docs/Akeyless Gateway/configure-gateway/_order.yaml index 02a838f30..f9208e384 100644 --- a/docs/Akeyless Gateway/configure-gateway/_order.yaml +++ b/docs/Akeyless Gateway/configure-gateway/_order.yaml @@ -1,5 +1,6 @@ - gateway-authentication-and-access - gateway-tls-settings +- gateway-pqc-support-reference - gateway-certificate-store - gateway-zero-knowledge - gateway-caching diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md new file mode 100644 index 000000000..1f72e41cd --- /dev/null +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -0,0 +1,61 @@ +--- +title: PQC Support Reference +excerpt: Hybrid PQC profile and coverage details for Akeyless SaaS and Gateway +deprecated: false +hidden: false +metadata: + title: '' + description: '' + robots: index +next: + description: '' +--- +Use this page as a formal reference for hybrid post-quantum cryptography (PQC) support in Akeyless SaaS and Akeyless Gateway TLS connections. + +## Cryptography Profile + +Akeyless TLS hybrid PQC connections use the following profile: + +| Parameter | Value | +| --- | --- | +| TLS version | `TLS 1.3` | +| Hybrid key exchange identifier | `X25519MLKEM768` | +| Classical component | `X25519` | +| Post-quantum component | `MLKEM-768` | + +`X25519MLKEM768` indicates a hybrid key exchange where both classical and post-quantum algorithms participate in the TLS handshake. + +## Coverage and Configuration Matrix + +| Connection path | Hybrid PQC support | Required action | +| --- | --- | --- | +| Client to Akeyless SaaS | Enabled by default | No user configuration required | +| Client to Akeyless Gateway endpoint | Supported | Configure Gateway for TLS 1.3 and set Go runtime flag | +| Gateway to Akeyless SaaS | Enabled by default | No user configuration required | + +## Gateway Configuration Requirements + +To enable hybrid PQC for the Akeyless Gateway endpoint, set both environment variables in the deployment: + +* `MIN_TLS_VERSION=TLSv1.3` +* `GODEBUG=tlsmlkem=1` + +Deployment examples: + +* [Gateway Docker Advanced Configuration](https://docs.akeyless.io/docs/gateway-docker-advanced-configuration) +* [Gateway Kubernetes Helm Values Reference](https://docs.akeyless.io/docs/gateway-kubernetes-helm-values-reference) + +## Verification Guidance + +To verify hybrid PQC on a Gateway endpoint: + +1. Open the Gateway endpoint over HTTPS in a browser. +2. Open the browser connection security details. +3. Confirm the negotiated key exchange includes `X25519MLKEM768`. + +This confirms that TLS uses a hybrid key exchange with both classical and post-quantum components. + +## Related Resources + +* [TLS Settings](https://docs.akeyless.io/docs/gateway-tls-settings) +* [Akeyless Blog: Akeyless Advances Security with Post-Quantum Hybrid TLS 1.3](https://www.akeyless.io/blog/post-quantum-akeyless-hybrid-tls-1-3/) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md b/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md index b93f67c98..4fdc44c35 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md @@ -32,13 +32,17 @@ To configure TLS, on your [Gateway Configuration Manager](https://docs.akeyless. ## TLS 1.3 and PQC -To enable hybrid post-quantum key exchange on the Gateway, configure the deployment to use TLS 1.3. +For Akeyless SaaS endpoints, hybrid post-quantum key exchange is enabled by default over TLS 1.3. + +For Akeyless Gateway endpoints, hybrid post-quantum key exchange is enabled after the Gateway deployment is configured with both TLS 1.3 and the Go runtime `tlsmlkem` flag. For deployment-specific steps, see: * [Gateway Docker Advanced Configuration](https://docs.akeyless.io/docs/gateway-docker-advanced-configuration) * [Gateway Kubernetes Helm Values Reference](https://docs.akeyless.io/docs/gateway-kubernetes-helm-values-reference) +For a formal algorithm and coverage reference, see [PQC Support Reference](https://docs.akeyless.io/docs/gateway-pqc-support-reference). + After deployment, verify that the browser connection details show `X25519MLKEM768`, which confirms a hybrid key exchange (`X25519` + `MLKEM-768`). ## Updating a TLS Certificate diff --git a/docs/Akeyless Gateway/configure-gateway/index.md b/docs/Akeyless Gateway/configure-gateway/index.md index 33e1022c6..94cdab3bc 100644 --- a/docs/Akeyless Gateway/configure-gateway/index.md +++ b/docs/Akeyless Gateway/configure-gateway/index.md @@ -38,6 +38,8 @@ The following configuration features are available: * Configure HTTPS behavior and certificate usage in [TLS Settings](https://docs.akeyless.io/docs/gateway-tls-settings). +* Review cryptography profile and coverage details in [PQC Support Reference](https://docs.akeyless.io/docs/gateway-pqc-support-reference). + * Manage trusted private CAs in [Certificate Store](https://docs.akeyless.io/docs/gateway-certificate-store). * Configure encryption posture with customer fragments in [Zero Knowledge](https://docs.akeyless.io/docs/gateway-zero-knowledge). diff --git a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md index b9ece1fbe..8c1714e53 100644 --- a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md +++ b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md @@ -335,7 +335,7 @@ This confirms the connection is using **TLS 1.3 with hybrid post-quantum key exc #### Gateway Restart Requirement -To enable PQC support, restart the Gateway with the required environment variables: +To enable hybrid PQC support on the Gateway endpoint, restart the Gateway with the required environment variables: ```shell docker run -d \ @@ -349,9 +349,9 @@ akeyless/base:latest-akeyless The variables `MIN_TLS_VERSION=TLSv1.3` and `GODEBUG=tlsmlkem=1` enable hybrid PQC support (`X25519 + MLKEM-768`) on the Gateway container. -> 📘 Info +> ℹ️ **Info:** > -> Hybrid PQC support is validated at the Gateway endpoint level. Data in transit between the Gateway and Akeyless SaaS is already encrypted. +> Akeyless SaaS connections already use hybrid PQC encryption by default over TLS 1.3. The environment variables in this section are required for the Gateway endpoint configuration. ### Cache Configuration From 3d59dcd0bc5b0082ba4f6e987e5fc177a7c10262 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:26:48 -0600 Subject: [PATCH 02/10] DOCS-426: remove GODEBUG, normalize ML-KEM 768, add AKY017 enforcement --- .github/markdownlint/.markdownlint-cli2.yaml | 16 ++++++++++++++++ .../gateway-pqc-support-reference.md | 5 ++--- .../configure-gateway/gateway-tls-settings.md | 2 +- .../gateway-kubernetes-helm-values-reference.md | 11 +++-------- .../gateway-docker-advanced-configuration.md | 5 ++--- .../dfc-overview/dfc-deep-dive.md | 4 ++-- 6 files changed, 26 insertions(+), 17 deletions(-) diff --git a/.github/markdownlint/.markdownlint-cli2.yaml b/.github/markdownlint/.markdownlint-cli2.yaml index 2faaf6d33..b4113037c 100644 --- a/.github/markdownlint/.markdownlint-cli2.yaml +++ b/.github/markdownlint/.markdownlint-cli2.yaml @@ -588,6 +588,22 @@ config: example_from: "These vendors try to gyp customers." example_to: "These vendors try to cheat customers." + # ML-KEM algorithm naming (NIST FIPS 203) + - term: "MLKEM-768" + replacement: "ML-KEM 768" + example_from: "X25519 + MLKEM-768" + example_to: "X25519 + ML-KEM 768" + + - term: "ML-KEM768" + replacement: "ML-KEM 768" + example_from: "ML-KEM768 (NIST PQC KEM)" + example_to: "ML-KEM 768 (NIST PQC KEM)" + + - term: "ML-KEM-768" + replacement: "ML-KEM 768" + example_from: "ML-KEM-768 key exchange" + example_to: "ML-KEM 768 key exchange" + # AKY018: Require canonical Markdown table separator rows # # Purpose: diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index 1f72e41cd..3234ebdb1 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -21,7 +21,7 @@ Akeyless TLS hybrid PQC connections use the following profile: | TLS version | `TLS 1.3` | | Hybrid key exchange identifier | `X25519MLKEM768` | | Classical component | `X25519` | -| Post-quantum component | `MLKEM-768` | +| Post-quantum component | ML-KEM 768 | `X25519MLKEM768` indicates a hybrid key exchange where both classical and post-quantum algorithms participate in the TLS handshake. @@ -35,10 +35,9 @@ Akeyless TLS hybrid PQC connections use the following profile: ## Gateway Configuration Requirements -To enable hybrid PQC for the Akeyless Gateway endpoint, set both environment variables in the deployment: +To enable hybrid PQC for the Akeyless Gateway endpoint, set the following environment variable in the deployment: * `MIN_TLS_VERSION=TLSv1.3` -* `GODEBUG=tlsmlkem=1` Deployment examples: diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md b/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md index 4fdc44c35..6723ea39c 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md @@ -43,7 +43,7 @@ For deployment-specific steps, see: For a formal algorithm and coverage reference, see [PQC Support Reference](https://docs.akeyless.io/docs/gateway-pqc-support-reference). -After deployment, verify that the browser connection details show `X25519MLKEM768`, which confirms a hybrid key exchange (`X25519` + `MLKEM-768`). +After deployment, verify that the browser connection details show `X25519MLKEM768`, which confirms a hybrid key exchange (X25519 + ML-KEM 768). ## Updating a TLS Certificate diff --git a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-kubernetes-helm/gateway-kubernetes-helm-values-reference.md b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-kubernetes-helm/gateway-kubernetes-helm-values-reference.md index 6fea772e7..082c0ea80 100644 --- a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-kubernetes-helm/gateway-kubernetes-helm-values-reference.md +++ b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-kubernetes-helm/gateway-kubernetes-helm-values-reference.md @@ -117,27 +117,22 @@ Alternatively, you can also [configure TLS](https://docs.akeyless.io/docs/gatewa The same TLS and PQC settings apply across all cloud platforms where Akeyless Gateway runs on Kubernetes, including managed and self-managed clusters. -To enable hybrid post-quantum key exchange on the Gateway pod, set TLS 1.3 and add the Go runtime flag in `globalConfig.env`: +To enable hybrid post-quantum key exchange on the Gateway pod, set TLS 1.3 in `TLSConf`: ```yaml values.yaml TLSConf: enabled: true minimumTlsVersion: TLSv1.3 - -globalConfig: - env: - - name: GODEBUG - value: tlsmlkem=1 ``` -Apply the updated chart values and restart/upgrade the Gateway release so the pod loads the new runtime flag. +Apply the updated chart values and restart/upgrade the Gateway release. To verify PQC support, open the Gateway endpoint over HTTPS in Chrome, check the connection security details, and confirm the negotiated key exchange includes `X25519MLKEM768`. `X25519MLKEM768` confirms a hybrid key exchange: * `X25519` (classical elliptic-curve cryptography) -* `MLKEM-768` (post-quantum cryptography) +* ML-KEM 768 (post-quantum cryptography) ### OIDC Configuration diff --git a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md index 8c1714e53..ef5fcde62 100644 --- a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md +++ b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md @@ -329,20 +329,19 @@ After TLS is configured and the Gateway is available over HTTPS, validate the ne `X25519MLKEM768` confirms a hybrid key exchange: * `X25519` (classical elliptic-curve cryptography) -* `MLKEM-768` (post-quantum cryptography) +* ML-KEM 768 (post-quantum cryptography) This confirms the connection is using **TLS 1.3 with hybrid post-quantum key exchange**. #### Gateway Restart Requirement -To enable hybrid PQC support on the Gateway endpoint, restart the Gateway with the required environment variables: +To enable hybrid PQC support on the Gateway endpoint, restart the Gateway with the required environment variable: ```shell docker run -d \ -p 8000:8000 \ -p 5696:5696 \ -e MIN_TLS_VERSION=TLSv1.3 \ --e GODEBUG=tlsmlkem=1 \ --name akeyless-gateway \ akeyless/base:latest-akeyless ``` diff --git a/docs/Getting Started/dfc-overview/dfc-deep-dive.md b/docs/Getting Started/dfc-overview/dfc-deep-dive.md index 686c5c036..0472f291d 100644 --- a/docs/Getting Started/dfc-overview/dfc-deep-dive.md +++ b/docs/Getting Started/dfc-overview/dfc-deep-dive.md @@ -16,7 +16,7 @@ DFC uses standard, NIST-approved primitives: * **AES** — symmetric encryption * **HMAC** — message authentication and integrity * **KDFs** — for deriving per-operation values from fragments -* **Hybrid TLS 1.3 (ML-KEM768 + X25519)** — post-quantum–resistant communication +* **Hybrid TLS 1.3 (ML-KEM 768 + X25519)** — post-quantum–resistant communication DFC does not introduce new encryption algorithms; it introduces a new key-handling and fragmentation model. @@ -199,7 +199,7 @@ DFC enables a zero-knowledge model: DFC uses hybrid TLS 1.3 with: -* **ML-KEM768** (NIST PQC KEM) +* **ML-KEM 768** (NIST PQC KEM) * **X25519** (classical elliptic curve) These provide protection against potential future quantum attacks on captured traffic. From afc40a5ff552c7abca08f9109ca2c028a4d9a5de Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:30:51 -0600 Subject: [PATCH 03/10] DOCS-426: improve PQC support reference page (metadata, matrix fix, openssl verification, FIPS cert link) --- .../gateway-pqc-support-reference.md | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index 3234ebdb1..618ba6548 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -4,8 +4,8 @@ excerpt: Hybrid PQC profile and coverage details for Akeyless SaaS and Gateway deprecated: false hidden: false metadata: - title: '' - description: '' + title: 'PQC Support Reference | Akeyless' + description: 'Hybrid post-quantum cryptography (PQC) profile, coverage matrix, and verification guidance for Akeyless SaaS and Gateway TLS connections.' robots: index next: description: '' @@ -20,8 +20,8 @@ Akeyless TLS hybrid PQC connections use the following profile: | --- | --- | | TLS version | `TLS 1.3` | | Hybrid key exchange identifier | `X25519MLKEM768` | -| Classical component | `X25519` | -| Post-quantum component | ML-KEM 768 | +| Classical component | X25519 | +| Post-quantum component | ML-KEM 768 (NIST FIPS 203) | `X25519MLKEM768` indicates a hybrid key exchange where both classical and post-quantum algorithms participate in the TLS handshake. @@ -30,7 +30,7 @@ Akeyless TLS hybrid PQC connections use the following profile: | Connection path | Hybrid PQC support | Required action | | --- | --- | --- | | Client to Akeyless SaaS | Enabled by default | No user configuration required | -| Client to Akeyless Gateway endpoint | Supported | Configure Gateway for TLS 1.3 and set Go runtime flag | +| Client to Akeyless Gateway endpoint | Supported | Set `MIN_TLS_VERSION=TLSv1.3` on the Gateway deployment | | Gateway to Akeyless SaaS | Enabled by default | No user configuration required | ## Gateway Configuration Requirements @@ -46,15 +46,28 @@ Deployment examples: ## Verification Guidance -To verify hybrid PQC on a Gateway endpoint: +To verify hybrid PQC on a Gateway endpoint using a browser: 1. Open the Gateway endpoint over HTTPS in a browser. 2. Open the browser connection security details. 3. Confirm the negotiated key exchange includes `X25519MLKEM768`. -This confirms that TLS uses a hybrid key exchange with both classical and post-quantum components. +To verify using OpenSSL: + +```shell +openssl s_client -connect : 2>&1 | grep "Server Temp Key" +``` + +A hybrid PQC key exchange returns output similar to: + +```text +Server Temp Key: X25519MLKEM768 +``` + +Either verification method confirms that TLS is using a hybrid key exchange with both classical and post-quantum components. ## Related Resources * [TLS Settings](https://docs.akeyless.io/docs/gateway-tls-settings) +* [FIPS Certifications](https://docs.akeyless.io/docs/fips) * [Akeyless Blog: Akeyless Advances Security with Post-Quantum Hybrid TLS 1.3](https://www.akeyless.io/blog/post-quantum-akeyless-hybrid-tls-1-3/) From 15f0bb6767b8c37d9d849621fcb11f3b438c5629 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:33:03 -0600 Subject: [PATCH 04/10] DOCS-426: strengthen PQC reference intro, matrix, client compatibility, openssl caveat --- .../gateway-pqc-support-reference.md | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index 618ba6548..99585cb30 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -10,7 +10,7 @@ metadata: next: description: '' --- -Use this page as a formal reference for hybrid post-quantum cryptography (PQC) support in Akeyless SaaS and Akeyless Gateway TLS connections. +Akeyless implements hybrid post-quantum cryptography (PQC) for TLS connections between clients and both the Akeyless SaaS platform and Akeyless Gateway deployments. This page provides the cryptographic profile, coverage matrix, and verification steps for compliance and operational reference. ## Cryptography Profile @@ -30,7 +30,7 @@ Akeyless TLS hybrid PQC connections use the following profile: | Connection path | Hybrid PQC support | Required action | | --- | --- | --- | | Client to Akeyless SaaS | Enabled by default | No user configuration required | -| Client to Akeyless Gateway endpoint | Supported | Set `MIN_TLS_VERSION=TLSv1.3` on the Gateway deployment | +| Client to Akeyless Gateway endpoint | Supported, configuration required | Set `MIN_TLS_VERSION=TLSv1.3` on the Gateway deployment | | Gateway to Akeyless SaaS | Enabled by default | No user configuration required | ## Gateway Configuration Requirements @@ -39,11 +39,22 @@ To enable hybrid PQC for the Akeyless Gateway endpoint, set the following enviro * `MIN_TLS_VERSION=TLSv1.3` +When TLS 1.3 is enabled, the Go runtime negotiates `X25519MLKEM768` automatically. No additional flags are required. + Deployment examples: * [Gateway Docker Advanced Configuration](https://docs.akeyless.io/docs/gateway-docker-advanced-configuration) * [Gateway Kubernetes Helm Values Reference](https://docs.akeyless.io/docs/gateway-kubernetes-helm-values-reference) +## Client Compatibility + +Hybrid PQC key exchange requires both peers to support `X25519MLKEM768`. The following clients negotiate it automatically: + +* Modern browsers (Chrome 131+, Firefox 132+, Edge 131+) +* Go runtime 1.24 and later (including the Akeyless Go SDK and CLI) + +Older clients that do not support `X25519MLKEM768` fall back to a classical key exchange without disrupting the TLS connection. + ## Verification Guidance To verify hybrid PQC on a Gateway endpoint using a browser: @@ -52,7 +63,7 @@ To verify hybrid PQC on a Gateway endpoint using a browser: 2. Open the browser connection security details. 3. Confirm the negotiated key exchange includes `X25519MLKEM768`. -To verify using OpenSSL: +To verify using OpenSSL (requires OpenSSL 3.2 or later; Linux and macOS): ```shell openssl s_client -connect : 2>&1 | grep "Server Temp Key" From 4bb07750e6799ddb9171e755928cffbb03cf5372 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:35:19 -0600 Subject: [PATCH 05/10] DOCS-426: add Windows OpenSSL verification code tab --- .../configure-gateway/gateway-pqc-support-reference.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index 99585cb30..2bcc26bbb 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -63,11 +63,14 @@ To verify hybrid PQC on a Gateway endpoint using a browser: 2. Open the browser connection security details. 3. Confirm the negotiated key exchange includes `X25519MLKEM768`. -To verify using OpenSSL (requires OpenSSL 3.2 or later; Linux and macOS): +To verify using OpenSSL (requires OpenSSL 3.2 or later): -```shell +```shell Linux and macOS openssl s_client -connect : 2>&1 | grep "Server Temp Key" ``` +```powershell Windows +openssl s_client -connect : 2>&1 | Select-String "Server Temp Key" +``` A hybrid PQC key exchange returns output similar to: From 64ebe5fd292b37655c5ec67cc2b2d420989ec184 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:36:18 -0600 Subject: [PATCH 06/10] DOCS-426: refine PQC compatibility wording and verification interpretation --- .../configure-gateway/gateway-pqc-support-reference.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index 2bcc26bbb..29be4071a 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -50,7 +50,7 @@ Deployment examples: Hybrid PQC key exchange requires both peers to support `X25519MLKEM768`. The following clients negotiate it automatically: -* Modern browsers (Chrome 131+, Firefox 132+, Edge 131+) +* Current major browsers * Go runtime 1.24 and later (including the Akeyless Go SDK and CLI) Older clients that do not support `X25519MLKEM768` fall back to a classical key exchange without disrupting the TLS connection. @@ -78,7 +78,12 @@ A hybrid PQC key exchange returns output similar to: Server Temp Key: X25519MLKEM768 ``` -Either verification method confirms that TLS is using a hybrid key exchange with both classical and post-quantum components. +Interpretation: + +* `Server Temp Key: X25519MLKEM768`: Hybrid PQC is active. +* `Server Temp Key: X25519`: The connection negotiated classical key exchange. + +If you expect hybrid PQC but observe `X25519`, confirm that the client supports `X25519MLKEM768` and that the Gateway is configured with `MIN_TLS_VERSION=TLSv1.3`. ## Related Resources From d6c71ac22234895551a9944d00016195f81a59d1 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Mon, 27 Apr 2026 12:37:39 -0600 Subject: [PATCH 07/10] DOCS-426: improve PQC verification reliability and troubleshooting guidance --- .../gateway-pqc-support-reference.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index 29be4071a..eb7b8f085 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -41,6 +41,8 @@ To enable hybrid PQC for the Akeyless Gateway endpoint, set the following enviro When TLS 1.3 is enabled, the Go runtime negotiates `X25519MLKEM768` automatically. No additional flags are required. +After changing `MIN_TLS_VERSION`, restart or redeploy the Gateway so the updated value is applied. + Deployment examples: * [Gateway Docker Advanced Configuration](https://docs.akeyless.io/docs/gateway-docker-advanced-configuration) @@ -66,10 +68,10 @@ To verify hybrid PQC on a Gateway endpoint using a browser: To verify using OpenSSL (requires OpenSSL 3.2 or later): ```shell Linux and macOS -openssl s_client -connect : 2>&1 | grep "Server Temp Key" +openssl s_client -connect : -tls1_3 2>&1 | grep "Server Temp Key" ``` ```powershell Windows -openssl s_client -connect : 2>&1 | Select-String "Server Temp Key" +openssl s_client -connect : -tls1_3 2>&1 | Select-String "Server Temp Key" ``` A hybrid PQC key exchange returns output similar to: @@ -85,6 +87,12 @@ Interpretation: If you expect hybrid PQC but observe `X25519`, confirm that the client supports `X25519MLKEM768` and that the Gateway is configured with `MIN_TLS_VERSION=TLSv1.3`. +Troubleshooting checklist: + +* Confirm the command is targeting the Gateway endpoint directly. +* Confirm the Gateway has restarted after applying `MIN_TLS_VERSION=TLSv1.3`. +* Confirm the client and OpenSSL version support `X25519MLKEM768`. + ## Related Resources * [TLS Settings](https://docs.akeyless.io/docs/gateway-tls-settings) From 7c6689a786e065556a7de54b8c654a5f85ae0998 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 5 May 2026 07:43:18 -0600 Subject: [PATCH 08/10] DOCS-426: remove remaining GODEBUG reference from docker advanced config --- .../gateway-docker-advanced-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md index ef5fcde62..bf55ecf8d 100644 --- a/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md +++ b/docs/Akeyless Gateway/deploy-gateway/gateway-deploy-standalone-docker/gateway-docker-advanced-configuration.md @@ -346,7 +346,7 @@ docker run -d \ akeyless/base:latest-akeyless ``` -The variables `MIN_TLS_VERSION=TLSv1.3` and `GODEBUG=tlsmlkem=1` enable hybrid PQC support (`X25519 + MLKEM-768`) on the Gateway container. +Setting `MIN_TLS_VERSION=TLSv1.3` enables hybrid PQC support (X25519 + ML-KEM 768) on the Gateway container. > ℹ️ **Info:** > From ac84c88f8d94e84580d7459b741c130d2818b23a Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 5 May 2026 07:53:55 -0600 Subject: [PATCH 09/10] DOCS-426: add .gitleaks.toml allowlist for false positives in tooling files --- .gitleaks.toml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 000000000..a66340692 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,27 @@ +title = "Gitleaks Configuration — technical-documentation" + +# --------------------------------------------------------------------------- +# Global allowlist +# --------------------------------------------------------------------------- +# These entries exempt specific files that contain intentional examples or +# documentation content, not real credentials. +# --------------------------------------------------------------------------- + +[allowlist] + description = "False-positive allowlist for files containing intentional credential-like examples" + + # .github/LEAK_RESPONSE.md — secret-leak response runbook. + # Contains an intentional JWT header example + # (`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...REDACTED`) used to illustrate + # how to redact JWT tokens in documentation. This is a documentation + # artifact, not a real credential. + # + # .github/markdownlint/custom-rules.js — AKY023 custom lint rule. + # Contains the string `DATABASE_PASSWORD=hardcoded123` only in a JSDoc + # comment that documents what the rule is designed to detect. This is a + # rule-description example, not a real credential. + + paths = [ + '''\.github/LEAK_RESPONSE\.md''', + '''\.github/markdownlint/custom-rules\.js''', + ] From 16ea25572cdd0e3203458527ba843cd2e9205a43 Mon Sep 17 00:00:00 2001 From: Harrison Sherwin - Akeyless Date: Tue, 12 May 2026 15:37:49 -0600 Subject: [PATCH 10/10] docs: update OpenSSL version requirement and clarify hybrid PQC configuration for Gateway --- .pre-commit-config.yaml | 2 +- .../configure-gateway/gateway-pqc-support-reference.md | 2 +- .../configure-gateway/gateway-tls-settings.md | 4 +--- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07b3ef73c..ff7a28eef 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,7 @@ repos: hooks: - id: gitleaks name: gitleaks (secret scan) - args: ["protect", "--staged", "--redact"] + args: ["--staged", "--redact"] # Local hooks: markdownlint, cspell, lychee # Note: These run sequentially on edited markdown files. Markdownlint uses --fix to auto-correct issues. diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md index eb7b8f085..aa351d1a3 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-pqc-support-reference.md @@ -65,7 +65,7 @@ To verify hybrid PQC on a Gateway endpoint using a browser: 2. Open the browser connection security details. 3. Confirm the negotiated key exchange includes `X25519MLKEM768`. -To verify using OpenSSL (requires OpenSSL 3.2 or later): +To verify using OpenSSL (requires OpenSSL 3.5.0 or later): ```shell Linux and macOS openssl s_client -connect : -tls1_3 2>&1 | grep "Server Temp Key" diff --git a/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md b/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md index 6723ea39c..fef5a412b 100644 --- a/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md +++ b/docs/Akeyless Gateway/configure-gateway/gateway-tls-settings.md @@ -34,15 +34,13 @@ To configure TLS, on your [Gateway Configuration Manager](https://docs.akeyless. For Akeyless SaaS endpoints, hybrid post-quantum key exchange is enabled by default over TLS 1.3. -For Akeyless Gateway endpoints, hybrid post-quantum key exchange is enabled after the Gateway deployment is configured with both TLS 1.3 and the Go runtime `tlsmlkem` flag. +For Akeyless Gateway endpoints, hybrid post-quantum key exchange is enabled when the Gateway is configured to use TLS 1.3. For deployment-specific steps, see: * [Gateway Docker Advanced Configuration](https://docs.akeyless.io/docs/gateway-docker-advanced-configuration) * [Gateway Kubernetes Helm Values Reference](https://docs.akeyless.io/docs/gateway-kubernetes-helm-values-reference) -For a formal algorithm and coverage reference, see [PQC Support Reference](https://docs.akeyless.io/docs/gateway-pqc-support-reference). - After deployment, verify that the browser connection details show `X25519MLKEM768`, which confirms a hybrid key exchange (X25519 + ML-KEM 768). ## Updating a TLS Certificate